The security community recently discovered a dangerous vulnerability in a common communications suite’s desktop app which is currently being exploited by threat actors. Through a 3CX Desktop App attack, threat actors can embed malicious code into legitimate binaries, granting an entry point to the entire network. Our Threat Intelligence Team has discovered approximately 250,000 potentially exposed instances exposed on the internet, including 70,000 in the Americas alone. Given the severity of the risk, security operators that suspect that their networks might be exposed to this attack should take immediate action.
Identifying a 3CX Desktop App Attack in Your Organization
Fortunately, Lumu helps you detect whether your network was breached by an attacker leveraging the 3CX Desktop App Vulnerability. Here’s how you can do it by checking the Compromise View in the Lumu Portal and looking for indicators of compromise (IOCs).
- Go to Incidents
- Filter by IoC from the list or with the keyword “3CX”
- Determine how many endpoints are in contact with the IoCs from the lists
- Apply the recommendations provided below
List of IOCs Related to 3CX Desktop App Vulnerabilities
- msstorageazure[.]com
- officestoragebox[.]com
- visualstudiofactory[.]com
- azuredeploystore[.]com
- msstorageboxes[.]com
- officeaddons[.]com
- sourceslabs[.]com
- zacharryblogs[.]com
- pbxcloudeservices[.]com
- akamaitechcloudservices[.]com
- azureonlinestorage[.]com
- msedgepackageinfo[.]com
- glcloudservice[.]com
- pbxsources[.]com
- pbxphonenetwork[.]com
- sbmsa[.]wiki
- www[.]journalide[.]org
- Dunamistrd[.]com
- azureonlinecloud[.]com
- akamaicontainer[.]com
- qwepoi123098[.]com
How to Mitigate the Impact of a 3CX Desktop App Attack
Our threat intelligence team suggests performing the following actions:
- First, uninstall the 3CX Desktop application. Use the App-like Web (PWA) client instead.
- Determine if any of the devices on your network has been or is currently in contact with adversaries leveraging 3CX Desktop App vulnerabilities.
- Perform eradication tasks on endpoints or devices identified as compromised.
- In 2023 our Threat Intelligence Team is forecasting to see more supply chain attacks like this. With that in mind, make sure you have a Continuous Compromise Assessment® practice across all your third-party providers so you can stop these attacks on time.
- Contact any of our specialists in case you have any questions on how to respond to this threat.
Stay Ahead of Disruptive Incidents Affecting Your Operations
Remember that cybersecurity attacks—especially ransomware attacks—do not happen randomly. Catastrophic cybersecurity incidents start by exploiting vulnerabilities, like those used in the 3CX Desktop App Attack, for initial access so they can move through the network, escalating privileges, until they can deploy a catastrophic attack. Continuously monitoring anomalous behaviors of devices connected to your network will give you the ability to stop them in time. A compromised network exhibits unusual patterns, which is why it’s crucial to leverage the power of your network metadata to gain visibility into your network’s behavior. Open your Lumu Free Account now.