Following the recently published supply chain attack affecting 3CXDesktopApp, team Axon evaluated the risk and possible impact of potential exploitations.
Organizations are advised to uninstall the application until an update from 3CX is released, as suggested in the advisory shared by email to Axon customers.
The team performs threat hunting over Axon customers' environments to detect activity associated with this attack, and affected customers have been informed.
As always, you are welcome to contact the team for any further questions. Team Axon
Posted Mar 30, 2023 - 18:27 UTC
Investigating
Team Axon is aware of the newly discovered supply chain attack on 3CXDesktopApp, a common voice and video conferencing software. The software is available for Windows, macOS, Linux, and mobile.
The affected versions according to 3CX are: 1. Electron Windows App shipped in Update 7, version numbers 18.12.407, 18.12.416. 2. Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407, 18.12.416.
This multi-stage attack involves a trojanized version of 3CXDesktopApp that can be downloaded from the official website or pulled through an application update if it is already installed. The malicious installer loads additional DLLs and pulls .ico files hosted on GitHub, that contain base 64 encoded domains, possibly in order to download the next payloads of the attack. The final payload has information-stealing functionality and can extract system information and login credentials from user profiles on popular web browsers like Chrome, Edge, Brave, and Firefox.
The team is performing retroactive hunting for activity associated with this attack over the last 3 months and will privately contact customers that are found to be affected as part of proactive threat hunting.