• Language chooser
    • USA (English)
    • France (Français)
    • Italy (Italiano)
    • Latin America (Español)
    • Brazil (Portugués)
    • Germany (Deutsch)
    • Korea (한국어)
    • Japan (Beta) (日本語)

3CX Supply Chain Attack

Released: Mar 30, 2023

Updated: Apr 05, 2023


Critical Severity

VOIP Systems Platform

3CX Vendor

Attack Type


3CX VoIP DesktopApp Campaign & Supply Chain Threats

Security researchers observed that the threat actors abused a popular business communication software by 3CX. The reports mention that a version of the 3CX VoIP (Voice over Internet Protocol) desktop client was trojanized and is being used to attack multiple organizations. Learn More »

Common Vulnerabilities and Exposures

CVE-2023-29059

Background

3CXDesktopApp is a voice and video conferencing Private Automatic Branch Exchange (PABX) enterprise call routing software developed by 3CX, a business communications software company. The company website claims that 3CX has 600,000 customers and over 12 million daily users. 3CX customers are in multiple sectors such as automotive, hospitality, food & beverage, Managed Information Technology Service Provider (MSP) and manufacturing. According to the vendor, "this appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state sponsored, that ran a complex supply chain attack." Due to widespread usage of the software across different sectors and organizations, this has the potential to be a massive supply chain attack similar to what we have seen in the past like SolarWinds incident or the Kaseya VSA ransomware attack.

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


March 30th, 2023: 3CX posted an alert at:
https://www.3cx.com/blog/news/desktopapp-security-alert/

March 30th 2023: CISA released an alert at:
https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp


FortiGuard Labs has released updated Antivirus definitions and blocked all the known IoCs including Domains, C2 servers and IPs related to the attack. FortiGuard AI/ML engine is able to prevent and block download of malware payload automatically without any human interaction.

FortiGuard Labs is continually monitoring the situation and will provide new information as it becomes available.

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT
  • AV

  • AV (Pre-filter)

  • Behavior Detection

  • IPS

  • Pre-execution

  • Web Filter

  • Post-execution

  • Botnet C&C

DETECT
  • Threat Hunting

  • IOC

  • Outbreak Detection

RESPOND
  • Assisted Response Services

  • Automated Response

RECOVER
  • InfoSec Services

IDENTIFY
  • Attack Surface Monitoring (Inside & Outside)

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
e4973db44081591e9bff5117946defbef6041397e56164f... file Active
00ab15b194cc1fc8e48e849ca9717c0700ef7ce22655112... file Active
6194d57fc3bc35acf9365b764338adefacecfacf5955b87... file Active
ac5c0823d623a7999f0db345611084e0a494770c3d6dd5f... file Active
amazonawsreplay.com domain Active
api.microsoftfileapis.com domain Active
http://api.amazonawsreplay.com/collect_log url Active
http://api.amazonawsreplay.com/livehelp/collect url Active
http://api.amazonawsreplay.com/livehelp/init url Active
microsoftfileapis.com domain Active
windowstearns.com domain Active
8.219.167.156 ip Active
http://api.amazonawsreplay.com/ url Active
http://api.microsoftfileapis.com/ url Active
https://selfhelp.windowstearns.com/ url Active
380898334e75e10cc1e5cf4c574d46e57f8b32f52552924... file Active
3978fb1b4d9581fddbd44f44901e87f9f8baf7942c74d58... file Active
50c1685bfcd67435188e74c8b5321de32f44f0c613fc2ee... file Active
81b850230c2a9ea155aa06adda5537f5e01a4ec2b0209aa... file Active
9ab7485664242c00db8ec6e0ea2b829320a7762107527a8... file Active
a6af08adbcf9eba00e3ea15f8a67a7766465fb387868efd... file Active
bf9c24747d7c2903cf931a0a321f37c44fe6236dc40679d... file Active
c7490c9e2a437e111968e96529cef80bc0d92a7040b656e... file Active
oilycargo.com domain Active
wirexpro.com domain Active
103.79.77.178 ip Active
akamaitechcloudservices.com domain Active
123fd1c46a166c54ad66e66a10d53623af64c4b52b1827d... file Active
293a3a2c8992636a5dba58ce088feb276ba39cf1b496b33... file Active
8dc8a9f5b5181911b0f4a051444c22e12d319878ea2a9ea... file Active
https://dl.dropbox.com/s/mkd3enun97s8zag url Active
https://dl.dropbox.com/s/mkd3enun97s8zag/Oxzy.exe url Active
09a47a484c8e83f0d36772a445b4e6bc12dc247b file Active
0dd0784b875183c5c8701ae4f46ed371a16fd6b3 file Active
1f1aadda137e5f6d1d914f1c69160eed4dda8517 file Active
36cce0d19253d08252d0d3ade1755d6b064786ae file Active
4789cf9141da47fe265e3d646609d864e0074711 file Active
4ae6fec8052a9648abaaa7b41625c911f355eaa7 file Active
4b0c13a054cadbfddf82686f4b4ff082e9cae428 file Active
62036fd054bac1375fe1205dc595a246e9d94a83 file Active
745f47e5349a99ee867fc1f5358462d176f97c6f file Active
a3dc96b5553606a039a68783989eba4cc0732b3a file Active
aa96e359daf6f90c2170c99a383f4f6b87e2154a file Active
googlecdnb.tk domain Active
http://3.136.16.137/vendor/htmlawed/htmlawed/demon.bin url Active
zh.googlecdnb.tk domain Active
https://github.elemecdn.com/aabquery url Active
https://github.elemecdn.com/aabquery/install_fl... url Active
3.136.16.137 ip Active
de3908adc431d1e66656199063acbb83f2b2bfc4d21f020... file Active
19e9dbfe9df33f17664e780909054b48c62d3dd66e11f31... file Active
54.237.36.60 ip Active
618c11e03328eb0cc47ac21964479901dfaaa8a038e4145... file Active
http://54.237.36.60/inject/QrvxFGKvsSJ5E5bx url Active
192.111.146.178 ip Active
030728c7a876f34ee97963c7f09e6e0398a1f00a file Active
06663a6664335f700dd2c9aaf71bd656e9161cd6 file Active
081f21e6398266f41bc179271bc3b95827122490 file Active
23dc7d61d9d0d40cde42cc7cc48afee8b3f31110 file Active
267b170a52a52a2137c77e671dd703a0b56d8b2d file Active
28c57661cb9f5528a46cbe848beebdfa02d866b1 file Active
2b0822ba5f147dc594c4f9a95669090acab03bc1 file Active
2b41cec321dd0be8519612294676f8bc3feaf1b6 file Active
3d5914e823940b3598f74c54cc09b5c39488474e file Active
3dd660983a6ea7727fdbfb310292ba83c443ca03 file Active
4b990e7f0bfd04a8619cb583ccabb2bce7a65bb7 file Active
7a5d7f9dac73ee3ea9a631ee944cca635b4ff9f2 file Active
7b325940dee4055745dd8d78ab535edc4fca078c file Active
7fe9ecbb376b77b976825f40a07bee31ae250e9b file Active
8c80db3ea4ebf67da6839c249270184dc4fcaeab file Active
904ed2566728036acc7ee645aaaac0b753f1ceef file Active
916bebc9d52d9c925edb6c4108ab9dead50a9ece file Active
91d756cc909e56e4ac97e013ea0951e5bb62c1dc file Active
92bcbf74010bb056b79968cd64289d100c8a80c7 file Active
944fd9e568ebdb2ea77b8f3f47868f87cab62bf2 file Active
9821e2f58328338598bbecaf9dd53a881d467978 file Active
9ab40a25efe023ea23ce74aeb196181aefa3be15 file Active
9cca5e233bee9f9ab3b41ce7cad8e5f43218d72c file Active
a197c2140edac03fb48b1847c4369379c8925ba5 file Active
b997146c966da74b9c3e32f589d2790ced781864 file Active
bfb941328af98ad59608bbbf00f99178ae610352 file Active
c1442f89167024fe9e1b47509ffa9aadc63cdb23 file Active
c14af02c6d44645937d23fb122e3e84a612e93ca file Active
c1fe2bab43d8feb7f6a49fab13dad379cdad4b6e file Active
c2c50d42bea265e2b9033fd53cf5932b933ebc8a file Active
c5654cd8e7a728b10094db0239d1d80c82de5d2d file Active
c5b50973ac6c654e7bfd3e5e82b16f763a8ae149 file Active
cceaba4359acefea532073bf235553776a6ecfe5 file Active
d65524917e4d7d3a14483f4104b5a9a82d63acbf file Active
df70515280dd4abcd7425aa616c1334ec1ab2a85 file Active
e315223b801fe90d8eb6caae6c31aa70f0f9aa15 file Active
efc8db855e879c72dc172ecd61e7ff0421c1fdbd file Active
fa62287b44a159bbfaefb7f44c5df985de3d8fa8 file Active
faecbfe3d35f5cecfc04b9933b4f3128a5a9cc12 file Active
feaeac543428558fe6a9bace070939b9ec267b7d file Active
ff12f89964e88d8c00f9f4339ca9539aea46db47 file Active
http://54.167.173.26/inject/QrcxFGKvsSJ5E5bx url Active
54.167.173.26 ip Active
https://discord.com/api/webhooks/1063041353627467856/ url Active
https://discord.com/api/webhooks/10630413536274... url Active
Indicators of compromise Indicators of compromise
IOC Threat Activity

Last 30 days

Chg

Avg 0