security advisory 3cx desktop app

Security Advisory: 3CX Desktop App

Updated 12/4/23 following announcements from 3CX.

3CX has confirmed a critical security issue with the 3CX Desktop Application in the Electron Windows app shipped in Update 7, available for Windows and Mac OSX.

Users are recommended to uninstall the affected application and use the 3CX Web Client instead. Here’s what you need to know about the security issue and what you should do.

What is happening?

On Thursday, 30/03/2023 CrowdStrike, a cybersecurity firm, published information about the malicious activity being observed from the 3CX Desktop Application. 3CX subsequently confirmed the issue in a post, stating that their Electron Windows app shipped in Update 7, version numbers 18.12.407 & 18.12.416, included a severe security issue.

Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 & 18.12.416 have also been affected.

In response, 3CX has appointed Mandiant, an American Incident & Forensics cybersecurity firm, to investigate the incident and 3CX releasing an updated version of the Desktop application.

Today (12/4/23) The Chief Information Security Officer (CISO) of 3CX, Pierre Jourdan, has released initial results of the investigation conducted by Mandiant, the security incident response team, after the intrusion and supply chain attack on 3CX.

According to the report, the cluster named UNC4736, which has a North Korean nexus, was responsible for the attack. The attacker used TAXHAUL malware to infect targeted Windows-based 3CX systems.

Mandiant also found a MacOS backdoor named SIMPLESEA located at /Library/Graphics/Quartz. The attacker used DLL side-loading to achieve persistence for TAXHAUL malware and used azureonlinecloud.com, akamaicontainer.com, journalide.org, and msboxonline.com for command and control infrastructure.
That report can be found here: https://www.3cx.com/blog/news/mandiant-initial-results/

What should I do?

 It’s highly recommended that users uninstall the affected application (Windows version numbers 18.12.407 & 18.12.416 and Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 & 18.12.416) and use the 3CX Web Client instead.

 The affected application is named 3CX Desktop App and will appear as below:

3cx security

There may be some confusion, as a lot of clients are still using an older application which is not affected, called 3CXPhone for Windows. This application appears similar to the 3CX Desktop App as shown below.

3cx phone

The 3CX Web Client has the exact same interface as the affected application, so there should be minimal impact on user experience or training in switching. The only functions not available in the PWA are BLF buttons, hotkeys, and a removable dialer, though 3CX has committed to releasing this in an upcoming update.

3cx app
  1. Login to the Web Client
  2. You have two options:
    1. Click on the OS icon below the user avatar. A new dialog will open, select “Web App (PWA)” and then hit the “Install” button.
    2. OR click on the “Install button” (A screen with an arrow) located in the address bar and confirm. See the icon circled red in the screenshot.
  3. To set the app to auto start:
    1. On Google Chrome: Open your Chrome browser and type ‘chrome://apps’ into the address bar. Right click on “3CX” and enable “Start app when you sign in”.
    2. On Microsoft Edge: On Edge, select to Auto-start in the dialog that appears after installation.

You can read more in the 3CX Web Client user manual.

NOTE: PWA only works on Google Chrome and Microsoft Edge – not on Safari or Firefox

The web address and login credentials for this are provided to all users in a 3CX Welcome Email.

If you need new copies of this sent out, please contact our service desk at: support@lightwirebusiness.com, 0800 534 567, or 1300 016 678.

What is Lightwire doing?

Our team has taken proactive measures to ensure the security of our hosted 3CX instances. We recently completed a program of staggered updates to 3CX Version 18 Update 6, while Update 7 was released around the 22nd of March. While some instances had updated on Monday morning, most of our hosted instances had not yet updated to that new update.

To ensure the security of our customers’ data and systems, we have stopped automatic updates on our hosted 3CX instances. Additionally, we have scanned all instances for the affected application to ensure that the affected version is not inadvertently downloaded.

On Thursday, 30/3/2023, we notified the customer via our alerting systems (illume, status page, and email). Emails were sent to the technical contacts listed for the service, and we also published an earlier version of this blog to inform our customers of the situation.

Moreover, we have taken further steps to ensure the safety of our customers’ data by checking registered extensions with the known compromised application, extending our Support team hours, and proactively calling those customers and/or their IT providers to take action.

At this stage, we plan to hold auto updates and leave the V18U6 instances on that version until more information is available.

3CX has released a new version of the app (18.12.425), which has been cleared of all security threats. As of now, Chrome allows the download of this version (there were some issues with Chrome blocking the download). Nonetheless, we cannot guarantee that other antivirus software won’t block it.

We can confirm that when we start pushing the majority of our hosted instances from update 6 to update 7, they will have the “safe” version of the app pulled to them.

We are currently working to ensure that the 425 version is available on the Update 7 instances. It is worth noting that these instances previously had version 422, which had a blocked certificate but was considered the previous “safe” version.

Despite the availability of the updated desktop app, we want to remind our customers that 3CX still recommends using the Web App (PWA) instead of the desktop application. This is due to security concerns, and we want to ensure that our customers are taking proactive measures to keep their systems secure.

3CX released a post about securing the console of our hosted PBXs, and we would like to confirm that every single one of our hosted instances has its own unique and ultra-strong password. We’re not taking any chances with your security!

Our team continuously monitors updates from both 3CX and our security vendors and will provide more detail as it comes to light.

If you need any assistance or have further questions, please get in touch with our service desk.

We are committed to keeping our customers’ data and systems secure and will continue to take proactive measures to ensure their safety.

Recent Posts

Embargo period 2024-2025

Local Fibre Companies (LFCs) will be implementing a level of change restriction on some parts of their network environment over the 2024-25 Christmas holiday period.

Read More »

3CX v20 – New Features Update

After a 3CX v20 system upgrade, you may notice features that are different from what you’re used to. We’ve put together a summary of some main changes and improvements, in Version 20.

Read More »

Voice Ordering Tool

With the release of our new voice plans, we’ve also updated our voice ordering tool in illume. See our step-by-step guide to placing a new voice order quickly and easily.

Read More »

Listen to the podcast