Last active
October 17, 2025 11:15
-
-
Save SwitHak/dccc91ef8a958bb5a4ee4d279a870e02 to your computer and use it in GitHub Desktop.
Revisions
-
SwitHak revised this gist
Apr 6, 2023 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -94,6 +94,7 @@ Security Advisories / Bulletins / vendors Responses linked to 3CX compromise eve ## Nextron Systems - https://www.nextron-systems.com/2023/03/31/using-thor-lite-to-scan-for-indicators-of-lazarus-activity-related-to-the-3cx-compromise/ - https://twitter.com/nextronsystems/status/1643147003155587072 ## Automox - https://www.automox.com/blog/3cx-desktop-app-compromised -
Apr 6, 2023 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -131,6 +131,8 @@ Security Advisories / Bulletins / vendors Responses linked to 3CX compromise eve ## Zscaler - https://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023 ## Microsoft - https://security.microsoft.com/threatanalytics3/89ed5a4c-622c-4641-8111-246eae37e200/analystreport ## Errors, typos, something to say ? - If you want to add a link, comment or send it to me -
Apr 6, 2023 . 1 changed file with 12 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -78,6 +78,7 @@ Security Advisories / Bulletins / vendors Responses linked to 3CX compromise eve ## Objective See - https://objective-see.org/blog/blog_0x73.html - https://objective-see.org/blog/blog_0x74.html ## Fortinet - https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised @@ -118,6 +119,17 @@ Security Advisories / Bulletins / vendors Responses linked to 3CX compromise eve ## Threat Radar - https://threatradar.net/3cx-in-the-wild/ ## Kaspersky - https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/ ## Todyl - https://www.todyl.com/blog/post/threat-advisory-3cx-softphone-telephony-campaign ## Splunk - https://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html ## Zscaler - https://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023 ## Errors, typos, something to say ? -
Apr 3, 2023 . 1 changed file with 12 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -17,6 +17,11 @@ Security Advisories / Bulletins / vendors Responses linked to 3CX compromise eve - 600K+ installations - 12M+ users ## Affected ? - You can check the dedicated website : - https://checkmyoperator.com/ - NOTA: You also need to check manually the compromise! ## Affected Releases - The following releases & platforms are affected - Microsoft / Electron Windows App shipped in Update 7, version numbers 18.12.407 & 18.12.416. @@ -107,6 +112,13 @@ Security Advisories / Bulletins / vendors Responses linked to 3CX compromise eve ## Blackberry - https://blogs.blackberry.com/en/2023/03/initial-implants-and-network-analysis-suggest-the-3cx-supply-chain-operation-goes-back-to-fall-2022 ## VMware - https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html ## Threat Radar - https://threatradar.net/3cx-in-the-wild/ ## Errors, typos, something to say ? - If you want to add a link, comment or send it to me -
Mar 31, 2023 . 1 changed file with 6 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -101,6 +101,12 @@ Security Advisories / Bulletins / vendors Responses linked to 3CX compromise eve ## Talos (Cisco) - https://blog.talosintelligence.com/3cx-softphone-supply-chain-compromise/ ## Trustwave - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-action-response-supply-chain-attack-using-3cx-pbax-software/ ## Blackberry - https://blogs.blackberry.com/en/2023/03/initial-implants-and-network-analysis-suggest-the-3cx-supply-chain-operation-goes-back-to-fall-2022 ## Errors, typos, something to say ? - If you want to add a link, comment or send it to me -
Mar 31, 2023 . 1 changed file with 9 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -92,6 +92,15 @@ Security Advisories / Bulletins / vendors Responses linked to 3CX compromise eve ## Automox - https://www.automox.com/blog/3cx-desktop-app-compromised ## Malwarebytes - https://www.malwarebytes.com/blog/news/2023/03/3cx-desktop-app-used-in-a-supply-chain-attack ## Rapid7 - https://www.rapid7.com/blog/post/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/ ## Talos (Cisco) - https://blog.talosintelligence.com/3cx-softphone-supply-chain-compromise/ ## Errors, typos, something to say ? - If you want to add a link, comment or send it to me -
Mar 31, 2023 . 1 changed file with 19 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -7,6 +7,9 @@ Security Advisories / Bulletins / vendors Responses linked to 3CX compromise eve ## What's happening? - Per several report the building environment of 3CX for the DesktopApp (MAC & Windows) has been compromised - The recent releases (details given below) have been compromised to include malicious code inside it - More details available regarding the compromise with the graphics by Thomas Roccia: - [3CX Supplychain Attack Windows](https://twitter.com/fr0gger_/status/1641668394155151366) - [3CX Supplychain Attack Apple](https://twitter.com/fr0gger_/status/1641775228652244993) ## Reach of the compromise - Per 3CX website, likely numbers not updated: @@ -74,6 +77,22 @@ Security Advisories / Bulletins / vendors Responses linked to 3CX compromise eve ## Fortinet - https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised ## Orange Cyberdefense - https://www.orangecyberdefense.com/global/blog/research/3cx-voip-app-supply-chain-compromise ## Symantec (Broadcom) - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack ## Cyble - https://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack/ ## Nextron Systems - https://www.nextron-systems.com/2023/03/31/using-thor-lite-to-scan-for-indicators-of-lazarus-activity-related-to-the-3cx-compromise/ ## Automox - https://www.automox.com/blog/3cx-desktop-app-compromised ## Errors, typos, something to say ? - If you want to add a link, comment or send it to me - Feel free to report any mistake directly below in the comment or in DM on Twitter [@SwitHak](https://twitter.com/SwitHak) -
Mar 31, 2023 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,79 @@ Security Advisories / Bulletins / vendors Responses linked to 3CX compromise event # General ## What's 3CX? - 3CX evolved from its roots as a PBX phone system to a complete communications platform, offering customers a simple, flexible, and affordable solution to call, video and live chat. ## What's happening? - Per several report the building environment of 3CX for the DesktopApp (MAC & Windows) has been compromised - The recent releases (details given below) have been compromised to include malicious code inside it ## Reach of the compromise - Per 3CX website, likely numbers not updated: - 190 Countries - 600K+ installations - 12M+ users ## Affected Releases - The following releases & platforms are affected - Microsoft / Electron Windows App shipped in Update 7, version numbers 18.12.407 & 18.12.416. - Mac / Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 & 18.12.416 are also affected. ## CVE Number - Unusual thing, a CVE number been assigned to this attack based on CWE-506. - CVE NVD Link : https://nvd.nist.gov/vuln/detail/CVE-2023-29059 ## Vendor response - [3CX DesktopApp Security Alert](https://www.3cx.com/blog/news/desktopapp-security-alert/) - [3CX DesktopApp Security Alert - Mandiant Appointed to Investigate](https://www.3cx.com/blog/news/desktopapp-security-alert-updates/) - [Chrome blocks latest 3CX MSI installer](https://www.3cx.com/blog/news/chrome-blocks-latest-msi/) ## Vendor Forum Threads about AV detecting 3CX - https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/ - https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/ ## NOTA - Thanks to Crowdstrike for the burn of this with their Reddit post they did the right thing. # CyberSecurity vendors blogs ## Crowdstrike - https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/ - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ ## SentinelLabs - https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ ## Sophos - https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/ ## Huntress - https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats ## Elastic ecurity Labs - https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack ## Reversing Labs - https://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update ## PAN - https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/ ## Trend Micro Research - https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html ## Volexity - https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/ ## Checkpoint Research - https://twitter.com/_CPResearch_/status/1641424448740810754 ## Objective See - https://objective-see.org/blog/blog_0x73.html ## Fortinet - https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised ## Errors, typos, something to say ? - If you want to add a link, comment or send it to me - Feel free to report any mistake directly below in the comment or in DM on Twitter [@SwitHak](https://twitter.com/SwitHak)