Naked Security Naked Security

Supply chain blunder puts 3CX telephone app users at risk

Booby-trapped app, apparently signed and shipped by 3CX itself after its source code repository was broken into.

NB. Detection names you can check for if you use Sophos products and services
are available from the Sophos X-Ops team on our sister site Sophos News.

Internet telephony company 3CX is warning its customers of malware that was apparently weaseled into the company’s own 3CX Desktop App by cybercriminals who seem to have acquired access to one or more of 3CX’s source code repositories.

As you can imagine, given that the company is scrambling not only to figure out what happened, but also to repair and document what went wrong, 3CX doesn’t have much detail to share about the incident yet, but it does state, right at the very top of its official security alert:

The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via Git.

We’re still researching the matter to be able to provide a more in depth response later today [2023-03-30].

Electron is the name of a large and super-complex-but-ultra-powerful programming toolkit that gives you an entire browser-style front end for your software, ready to go.

For example, instead of maintaining your own user interface code in C or C++ and working directly with, say, MFC on Windows, Cocoa on macOS, and Qt on Linux…

…you bundle in the Electron toolkit and program the bulk of your app in JavaScript, HTML and CSS, as if you were building a website that would work in any browser.

With power comes responsibility

If you’ve ever wondered why popular app downloads such as Visual Studio Code, Zoom, Teams and Slack are as big as they are, it’s because they all include a build of Electron as the core “programming engine” for the app itself.

The good side of tools like Electron is that they generally make it easier (and quicker) to build apps that look good, that work in a way that users are aready famiilar with, and that don’t behave completely differently on each different operating system.

The bad side is that there’s a lot more underyling foundation code that you need to pull down from your own (or perhaps from someone else’s) source code repository every time you rebuild your own app, and even modest apps typically end up several hundreds of megabytes in size when they’re downloaded, and even bigger after they’re installed.

That’s bad, in theory at least.

Loosely speaking, the bigger your app, the more ways there are for it to go wrong.

And while you’re probably familiar with the code that makes up the unique parts of your own app, and you’re no doubt well-placed to review all the changes from one release to the next, it’s much less likely that you have the same sort of familiarity with the underlying Electron code on which your app relies.

It’s therefore unlikely that you will have the time to pay attention to all the changes that may have been introduced into the “boilerplate” Electron parts of your build by the team of open-source volunteers who make up the Electron project itself.

Attack the big bit that’s less well-known

In other words, if you’re keeping your own copy of the Electron repository, and attackers find a way into your source code control system (in 3CX’s case, they’re apparently using the very popular Git software for that)…

…then those attackers might well decide to booby-trap the next version of your app by injecting their malicious bits-and-pieces into the Electron part of your source tree, instead of trying to mess with your own proprietary code.

After all, you probably take the Electron code for granted as long as it looks “mostly the same as before”, and you you are almost certainly better placed to spot unwanted or unexpected additions in your own team’s code than in a giant dependency tree of source code that was written by someone else.

When you’re reviewing your own company’s own code, [A] you have probably seen it before, and [B] you may very well have attended the meetings in which the changes now showing up in your diffs were discussed and agreed. You’re more likely to be tuned into, and more proprietorial – sensitive, if you wish – about changes in your own code that don’t look right. It’s a bit like the difference between noticing that something’s out-of-kilter when you drive your own car than when you set off in a rental vehicle at the airport. Not that you don’t care about the rented car because it isn’t yours (we hope!), but simply that you don’t have the same history and, for want of a better word, the same intimacy with it.

What to do?

Simply put, if you’re a 3CX user and you’ve got the company’s Desktop App on Windows or macOS, you should:

  • Uninstall it right away. The malicious add-ons in the booby-trapped version could have arrived either in a recent, fresh installation of the app from 3CX, or as the side-effect of an official update. The malware-laced versions were apparently built and distributed by 3CX itself, so they have the digital signatures you’d expect from the company, and they almost certainly came from an official 3CX download server. In other words, you aren’t immune just because you steered clear of alternative or unofficial download sites. Known-bad product version numbers can be found in 3CX’s security alert.
  • Check your computer and your logs for tell-tale signs of the malware. Just removing the 3CX app is not enough to clean up, because this malware (like most contemporary malware) can itself download and install additional malware. You can read more about how the malware actually works on our sister site, Sophos News, where Sophos X-Ops has published analysis and advice to help you in your threat hunting. That article also lists the detection names that Sophos products will use if they find and block any elements of this attack in your network. You can also find a useful list of so-called IoCs, or indicators of compromise, on the SophosLabs GitHub pages. IoCs tell you how to find evidence you were attacked, in the form of URLs that might show up in your logs, known-bad files to seek out on your computers, and more.

NEED TO KNOW MORE? KEEP TRACK OF IOCS, ANALYSIS AND DETECTION NAMES


  • Switch to using 3CX’s web-based telephony app for now. The company says: “We strongly suggest that you use our Progressive Web App (PWA) instead. The PWA app is completely web-based and does 95% of what the Electron app does. The advantage is that it does not require any installation or updating and Chrome web security is applied automatically.”
  • Wait for further advice from 3CX as the company finds out more about what happened. 3CX has apparently already reported the known-bad URLs that the malware uses for further downloads, and claims that “the majority [of these domains] were taken down overnight.” The company also says it has temporarily discontinued availability its Windows app, and will soon rebuild a new version that’s signed with a new digital signature. This means any old versions can be identified and purged by explicitly blocklisting the old signing certificate, which won’t be used again.
  • If you’re not sure what to do, or don’t have the time to do it yourself, don’t be afraid to call for help. You can get hold of Sophos Managed Detection and Response (MDR) or Sophos Rapid Response (RR) via our main website.