ThreatLocker has received new information regarding the potential compromise of the 3CX desktop application. 3CX CEO Nick Galea has confirmed the reports of the compromise of the 3CX desktop application are true.
Preliminary reports show this multi-stage attack uses a signed 3CX MSI file to extract two malicious DLL files. The 3CXDesktopApp.exe itself does not appear to be malicious. These malicious DLLs are responsible for delivering the payload. ThreatLocker continues to monitor this dynamic situation and will update as new information is available.
Organizations operating on a default deny philosophy, regardless of whether software is compromised, are protected to the extent that no software can run other software or execute malware, including malicious DLLs, unless said software or files are explicitly permitted. For ThreatLocker customers with a secured environment, this payload DLL should not be able to execute.
ThreatLocker has also removed the confirmed compromised files from the 3CX (Built-In) application, so these files will not be allowed as a result of using the 3CX(Built-In) application definition.
For our non-secured customers and customers using a custom 3CX application definition, ThreatLocker has identified the files that have been reported as being compromised and created a new built-in application named “3CX [Reported] (Built-In)” that contains those files.
Users can create a deny policy for this “3CX [Reported] (Built-In)” application and place it above their current 3CX policy. This built-in application will block all executables in the potentially compromised versions, 18.12.416 and 18.12.407, for the 3CX desktop application. If using either of these versions, the new built-in application will stop the 3CX application from executing.
ThreatLocker also recommends that users Ringfence their current 3CX application, so it doesn’t have access to more than it needs—block access to read and write files and block access to the internet. Users will then need to add their own exclusions for their domain(s), which can be located in the 3CX web console.
As a best practice, ThreatLocker suggests users continually evaluate their allow list, removing unneeded and unused policies, and applying Ringfencing to every application possible, only permitting each application access to what it needs and nothing more.
For assistance with applying Ringfencing to the 3CX application, our Cyber Hero Team is available 24/7.