BSI Issues Orange Alert for Trojans in 3CX Softphone App

BSI: Orange Alert for Trojans in 3CX softphone app

3CX, a key IT supplier with around 600,000 customers worldwide and 12 million daily users, has been hit by a malicious code attack. The digitally signed softphone app, directly from the manufacturer, has been found to contain malicious code which downloaded an information stealer from the Internet. The BSI has increased the IT threat situation to “3 / Orange”, meaning the IT threat situation is business-critical with a massive impairment of regular operations.

The Lazarus hacker group, presumably controlled from North Korea, has been found to have prepared the 3CX software with a downloader that loaded additional malicious software. It has been confirmed that not only the Windows versions 18.12.407 and 18.12.416, but also the MacOS version of the 3CX Softphone software is affected. The Mac Electron apps with version numbers 11/18/1213, 12/18/402, 12/18/407 & 12/18/416 are infected.

If running the infected apps, it is recommended that users immediately disconnect the affected systems from all networks and start looking for possible legacies. The information stealer from the 3CX attack is capable of reading information from Chrome, Edge, Brave and Firefox browsers, creating a risk that burglars can use this information to hijack other systems. It is important to seek professional help for incident response if the Indicators of Compromise (IoCs) listed are present in the network.

3CX has downplayed the extent of the issue, stating that the majority of the contacted domains have already been shut down and the overwhelming majority of affected systems were not actually infected. This is a daring theory, which has not been well-received by the security community, as 3CX has not been very forthcoming with information or addressing other security concerns.

In fact, several customers reported antivirus software alerts when using 3CX software on their forums as early as March 22nd, but did not receive proper feedback from the manufacturer, with complaints continuing until March 29th. Only when Crowdstrike and SentinelOne alerted the public on March 30th did the situation start to move.

Heise Security Pro Forum, a members-only forum discussing the 3CX issue, has raised concerns about 3CX still storing passwords in plain text for over a year, violating GDPR regulations. Companies that use this software risk heavy fines. There are also legal concerns about the lack of response and transparency from 3CX on this issue.

Overall, this recent 3CX attack highlights the importance of transparency and timely response from manufacturers, as well as the need for users to take immediate action if they suspect their systems have been compromised.

Leave a Reply