Active intrusion campaign targeting 3CXDesktopApp
On March 29, 2023, cybersecurity specialists observed suspicious behaviors of the 3CXDesktopApp desktop application from 3CX. The suspicious behaviors included but were not limited to:
- Downloading malware from the legitimate 3CXDesktopApp application.
- Manual activity on the keyboard.
On March 30, 2023, a CVE was assigned to the exploited vulnerability (CVE-2023-29059).
Impacted 3CXDesktopApp versions
Upon further analysis, these unusual behaviors were found to be malicious. Further investigations determined that several versions of the 3CXDesktopApp desktop application had been compromised, without the knowledge of their publisher 3CX. The compromised versions are:
- 3CXDesktopApp for Windows - versions 18.12.407 and 18.12.416;
- 3CXDesktopApp for Mac - versions 18.11.1213, 18.12.402 and 18.12.416.
Consequences of the attack
The main reported consequence of this compromise is the theft of system and browser information, including web browsing history. Access to passwords stored in web browsers is also suspected.
Mitigation measures
If you are using an impacted 3CXDesktopApp version, it is recommended to immediately apply the following measures:
- Isolate all impacted systems
- Uninstall the application
- Block all indicators of compromise (IOC) of the attack (see list below).
How to identify if you have been impacted
Check your firewall for outbound communications from your network to the following domain names (indicators of compromise of the attack / IOC). Immediately isolate any machine that has established a communication to one of these domains. Examples:
- azuredeploystore[.]com
- azureonlinecloud[.]com
- azureonlinestorage[.]com
- dunamistrd[.]com
To view the global list of indicators of compromise, please refer to the section List of Indicators of Compromise.
What we have done for existing Streamscan MDR customers
- As soon as they were known, the attack's indicators of compromise were injected into Streamscan's CDS cyber threat detection technology.
- If you use Streamscan's CDS technology or our MDR Streamshield security monitoring service, you are protected.
- We keep our level of vigilance in monitoring your network.
How can Streamscan help you?
Cyber attacks are exploding all the time. Without continuous security monitoring, you are completely blind to the attacks targeting you. You can't defend against what you can't see.
Let us put our eyes on your network. Join our MDR service (Streamshield) powered by our CDS cyber threat detection technology and keep yourself safe from cyberattacks.
Contact us at +1 877 208-9040 or talk to one of our experts.
List of Indicators of Compromise
azuredeploystore[.]com
azureonlinecloud[.]com
azureonlinestorage[.]com
dunamistrd[.]com
glcloudservice[.]com
journalide[.]org
msedgepackageinfo[.]com
msstorageazure[.]com
msstorageboxes[.]com
officeaddons[.]com
officestoragebox[.]com
zacharryblogs[.]com
akamaicontainer[.]com
akamaitechcloudservices[.]com
msedgepackageinfo[.]com
glcloudservice[.]com
pbxsources[.]com
msstorageazure[.]com
officestoragebox[.]com
visualstudiofactory[.]com
azuredeploystore[.]com
msstorageboxes[.]com/
officeaddons[.]com
visualstudiofactory[.]com
sourceslabs[.]com
sourceslabs[.]com
zacharryblogs[.]com
pbxcloudeservices[.]com
pbxphonenetwork[.]com
qwepoi123098[.]com
sbmsa[.]wiki
akamaitechcloudservices[.]com
pbxcloudeservices[.]com
pbxphonenetwork[.]com
pbxsources[.]com