3CX, a popular phone and video chat platform, recently fell victim to a supply chain attack. If you currently use this system or know someone who does, please look at the links below from 3CX and Reddit.
Like the SolarWinds attack, the malware was inserted into a software update many downloaded. 3CX has reportedly pulled the update, but network owners and operators should take the following precautions immediately.
- Make sure you have a good EDR solution in place. This will sniff out the malware and stop the execution if it tries.
- Identify quickly what devices in your organization have the 3CX software installed.
- As a precaution, it might make sense to re-image these devices.
Statement from 3CX – 3CX DesktopApp Security Alert | 3CX Forums
Reddit Post – 3CX likely comprised, take action. : msp (reddit.com)
Updated Links as of 3/30/2023 12:02 Eastern
AlienVault OTX IOC’s – CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers – AlienVault – Open Threat Exchange
CISA Alert – Supply Chain Attack Against 3CXDesktopApp | CISA
Secure Cyber Defense Customer Information: – as of 3/30/2023 at 12:08pm Eastern
If you are a Secure Cyber Defense managed SOC customer, the following has already occurred in your environment. You need no action at this point.
- We continue to threat hunt in EDR regularly. IOC’s are still coming in, so we won’t be able to close the incident until it slows down.
- We are starting to do the historic review now. Customers that have SIEM with us or managed firewalls using FortiAnalyzer, we are hunting historically now.
- We can isolate devices if needed (We’ve already had to do that). So if something IS found, we can contain it.
- If we saw 3CX in your environment, you’ve already been contacted.
SCD customers have 24/7/365 access to our SOC here in Moraine, Ohio. You can reach us at 937-388-4405 at any time.
Update: 3/31/2023 3:56 Eastern. This event has been officially closed and remediated.