The 3CX Ep - Plus more Hacks, Patches, and a Computer Hero

April 14, 2023 by
The 3CX Ep - Plus more Hacks, Patches, and a Computer Hero
Lighthouse IT Solutions, Matthew Almendinger

The Lighthouse IT Podcast - April 14th, 2023

This week, Matt & Griff discuss several things that they could have gone into further detail about such as Apple's spyware patch, Microsoft's vulnerability patch, the breach of MSI, the recent passing of Gordon Moore, but they sure do talk a lot about the 3CX hack.

Listen here!


We could talk about the recent Apple patch to cover recent zero-day spyware that was released to all supported versions of iOS and iPad OS (including v15)


We could talk about the Microsoft patches released to cover vulnerabilities in MSMQ, Microsoft DHCP Server, or code injection vulnerability in Secure Boot, making it possible to infect your computer at the lowest level. (Seriously, patch now!)


We could talk about MSI's breach - compromising it's certificates and firmware for its motherboards as a result of a ransomware attack.


It would be great to pay homage to Gordon Moore, co-founder of Intel, who very recently passed away. Known for his take on processor growth both in die size and component count that somehow was always very close to reality.


Instead, we get to talk about 3CX. 3CX is a software IP phone system with a work-from-anywhere focus. At Lighthouse, it has been our phone system platform of choice for nearly a decade. We enjoyed the system so much that we became a partner in the back half of the 2010s.

  • Today isn't a sales call though - they're making our security news.
  • 3CX was the victim of a supply-chain attack causing malware to be incorporated into its Desktop App.
  • The Desktop App is used for chat, call control, hotkeys, and extension management.
  • The attackers gained access to their source and added code to their copy of the Electron framework, a very common framework used for rapid application development. (In other words, this is targeted and did not affect the actual Electron framework.)
  • The malware laid dormant for 7 days before connecting to a Github account to download additional resources. Then these items would go out and download additional payloads.
  • The payloads, ffmpeg.dll and d3dcompiler contained encrypted data at the end of the files - meaning the digital signature still read correctly. (Which is actually a flaw within Microsoft signing that has never been addressed.)
  • These files would be used to launch keyloggers.
  • The malware, now believed to be North Korean State Sponsored, was looking for Digital Wallets for Crypto. Because financing weapons of mass destruction is expensive.
  • So, what do we do?
    • UNINSTALL THE SOFTWARE: The affected version should be removed immediately.
    • LOOK FOR THE DLL FILES: If you see the DLL files, you are likely affected.
    • STOP USING THE DESKTOP APP: 3CX recommends using their PWA (Browser-based App) instead.
    • CONSIDER ENGAGING INCIDENT RESPONSE PLANS: It is possible that you may need to execute incident response plans. Starting that process sooner than later is strongly advised.
    • THERE'S AN UPDATE, CAN WE INSTALL?: We are told that Mandiant has reviewed the latest Desktop App release and cleared it. However, there is still concerns and questions. Unless necessary and with appropriate security controls, we still maintain the safest course of action is to not use the software until we learn more from the Root Cause Analysis expected to be posted. This process could take months, however.