First Version Published @ 08:30 on 31/03/2023
Updates indicated in the text below.
This new broke late yesterday – and a handful of devices at some of our customers sites may be affected.
The 3CX desktop client (the software that some customers use instead of or to supplement a physical desk phone) has been inadvertently bundled with a trojan. At time of writing the affected versions seem to be:
- Windows App 18.12.407
- Windows App 18.12.416
- Mac App 18.11.1213
- Mac App 18.12.402
- Mac App 18.12.407
- Mac App 18.12.416
We are currently assessing the situation and will be in touch with affected customers shortly.
UPDATES: & NOTES
- As of 9:25 this morning we have identified that most customers do NOT have the trojanised version installed and so are theoretically NOT at risk.
- Out of over 300 potentially affected systems we support, only one device at one site has an affected version and of course have made contact to address this.
- Customers that take up our RMM Web Protection service have an additional layer of protection, so even of you had this trojanised version installed, those systems are less likely to have leaked any data.
- We have always recommended use of a physical desk phone as opposed to a software app and headset. Such devices are unaffected by these types of attacks.
- Our suppliers are recommending “uninstalling any apps on these version and if users are on an old one then to not update. It might even just be better to uninstall all completely for now.”
- At IT Norwich Ltd, only four of our systems had the 3CX Desktop software installed and in all cases it was version 18.10.x and so our systems are not exposed to this risk, though as a precautionary measure staff have been told to remove the software from their systems. As we use proper desk phones our ability to take calls is unaffected.
- UPDATE 03/04/2023: Despite the version of the 3CX Desktop App being used at one site being an allegedly unaffected version, AVG Internet Security Business Edition detected the Updater.exe and other portions of the program as a threat. This resulted in AVG quarantining the 3CX Desktop App, which from a users perspective caused it to “disappear”. We also saw similar behaviour with Microsoft Defender at another site. Rather than create an exception in the AVG policy (which would take time to propagate through to client devices), we took the decision instead to move to the Web App (which is different to the Web Client).
WHAT IS A TROJAN?
In computing, a Trojan (short for Trojan horse) is a type of malicious software that is designed to look harmless or useful but actually carries out unauthorized and harmful actions on a computer system.
Trojans are often disguised as legitimate software or files, and can be downloaded unknowingly by users from websites, emails, or file-sharing networks. Once installed, a Trojan can do various things, such as steal sensitive data, modify or delete files, install additional malicious software, or allow a remote attacker to take control of the compromised system.
Unlike viruses, Trojans do not self-replicate and spread to other computers on their own. They rely on social engineering tactics to trick users into downloading and installing them. Trojans can be difficult to detect and remove, as they often operate stealthily and may use encryption or obfuscation techniques to evade detection by antivirus software.
In this case, a Trojan has been added to legitimate software as part of a supply chain attack. In this type of attack, a Trojan is inserted into a trusted software package during the development or distribution process, before it is delivered to end-users. When the Trojanised software is installed by users, the Trojan is also installed on their systems, giving the attackers access to sensitive data or control over the compromised machines.
Supply chain attacks are becoming increasingly common and can be difficult to detect, as the Trojan is hidden within a legitimate package and may not exhibit any suspicious behavior until it is activated by the attackers. This type of attack can affect not only individual users but also organizations and government agencies that rely on software from trusted vendors. To mitigate the risk of supply chain attacks, it is important to maintain strict security standards throughout the software development and distribution process, and to implement measures such as code signing and integrity checks to detect any unauthorized modifications to software packages.
FURTHER INFORMATION
https://www.3cx.com/blog/news/desktopapp-security-alert/
https://www.3cx.com/blog/news/desktopapp-security-alert-updates/
https://www.theregister.com/2023/03/30/communications_software_vendor_3cx_hit/