Advisory Alert: All About the 3CX Desktop App Attack

Our Threat Intelligence Team has discovered approximately 70,000 instances potentially exposed to a dangerous vulnerability in the 3CX Desktop App currently being exploited by threat actors. Learn how it could impact your company and how to respond in case adversaries leveraged this vulnerability to enter your organization.
3CX Desktop App Attack Advisory Alert Feature

Table of Contents

The security community recently discovered a dangerous vulnerability in a common communications suite’s desktop app which is currently being exploited by threat actors. Through a 3CX Desktop App attack, threat actors can embed malicious code into legitimate binaries, granting an entry point to the entire network. Our Threat Intelligence Team has discovered approximately 250,000 potentially exposed instances exposed on the internet, including 70,000 in the Americas alone. Given the severity of the risk, security operators that suspect that their networks might be exposed to this attack should take immediate action.

Identifying a 3CX Desktop App Attack in Your Organization

Fortunately, Lumu helps you detect whether your network was breached by an attacker leveraging the 3CX Desktop App Vulnerability. Here’s how you can do it by checking the Compromise View in the Lumu Portal and looking for indicators of compromise (IOCs).

  1. Go to Incidents
  2. Filter by IoC from the list or with the keyword “3CX”
  3. Determine how many endpoints are in contact with the IoCs from the lists
  4. Apply the recommendations provided below
3CX desktop app attack mitigation with Lumu

List of IOCs Related to 3CX Desktop App Vulnerabilities

  • msstorageazure[.]com
  • officestoragebox[.]com
  • visualstudiofactory[.]com
  • azuredeploystore[.]com
  • msstorageboxes[.]com
  • officeaddons[.]com
  • sourceslabs[.]com
  • zacharryblogs[.]com
  • pbxcloudeservices[.]com
  • akamaitechcloudservices[.]com
  • azureonlinestorage[.]com
  • msedgepackageinfo[.]com
  • glcloudservice[.]com
  • pbxsources[.]com
  • pbxphonenetwork[.]com
  • sbmsa[.]wiki
  • www[.]journalide[.]org
  • Dunamistrd[.]com
  • azureonlinecloud[.]com
  • akamaicontainer[.]com
  • qwepoi123098[.]com 

How to Mitigate the Impact of a 3CX Desktop App Attack

Our threat intelligence team suggests performing the following actions:

  • First, uninstall the 3CX Desktop application. Use the App-like Web (PWA) client instead.
  • Determine if any of the devices on your network has been or is currently in contact with adversaries leveraging 3CX Desktop App vulnerabilities.
  • Perform eradication tasks on endpoints or devices identified as compromised.
  • In 2023 our Threat Intelligence Team is forecasting to see more supply chain attacks like this. With that in mind, make sure you have a Continuous Compromise Assessment® practice across all your third-party providers so you can stop these attacks on time.
  • Contact any of our specialists in case you have any questions on how to respond to this threat. 

Stay Ahead of Disruptive Incidents Affecting Your Operations

Remember that cybersecurity attacks—especially ransomware attacks—do not happen randomly. Catastrophic cybersecurity incidents start by exploiting vulnerabilities, like those used in the 3CX Desktop App Attack, for initial access so they can move through the network, escalating privileges, until they can deploy a catastrophic attack. Continuously monitoring anomalous behaviors of devices connected to your network will give you the ability to stop them in time. A compromised network exhibits unusual patterns, which is why it’s crucial to leverage the power of your network metadata to gain visibility into your network’s behavior. Open your Lumu Free Account now.

Subscribe to Our Blog

Get the latest cybersecurity articles and insights straight from the experts.

Share this post

RELATED POSTS

Culture

Why I’m Taking Off With Lumu

Reading Time: 2 minsLuis Quiñones has joined Lumu Technologies after more than a decade in various roles at Cisco North America. Here’s why he’s on board with us.

MOVEit vulnerability feature
Attacks

MOVEit Vulnerability: Active Exploitation by CL0P Ransomware

Reading Time: 3 minsThe recently discovered MOVEit vulnerability is an actively exploited zero-day threat, which is leading to significant breaches in large and critical enterprises. Gain insight into the nature of this vulnerability, its exploitation by the CL0P Ransomware Group, who is at risk, and the necessary remedial measures to be taken.

Join our pre-day 
workshop waitlist

  • By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.