Backdoor in 3CX VoIP software

June 9, 2023

Comment: Dr Johannes Ullrich, Dean of Research at the SANS Technology Institute

3CX is a company that sells voice-over-IP systems. Last week, customers complained that 3CX’s VoIP software was triggering anti-virus warnings. 3CX initially dismissed this as a false alarm. Then, earlier this week, SentinelOne published a notice stating that the application contained a backdoor likely created by a state-sponsored actor from North Korea. This backdoor allows full remote access to systems running the 3CX desktop application.

3CX has since released an updated statement confirming its previous findings. The application was written using the “Electron” framework that for building desktop applications using web technologies such as HTML and JavaScript. A library included in the 3CX desktop client was malicious, leading to the compromise.

The Electron framework is very popular for quickly creating cross-platform desktop applications. Its use of web technologies allows developers to move from web-based and desktop applications to tools. But Electron, like many similar technologies, relies heavily on open source libraries. These libraries are generally unverified, and developers should be careful when using them. All third-party libraries must be scanned for vulnerabilities, and anti-malware warnings about these libraries must not be ignored.

Two events this week highlight the difficulties faced by security teams in complex modern environments that rely on third-party tools and services. First, 3CX dismissed reports of its application triggering malware alerts. This resulted in a significantly delayed response, which likely caused significant harm to the company’s customers. Secondly, Microsoft Defender classified many Zoom URLs as malicious. This was a genuine false alarm and none of the URLs were malicious. But it flooded security teams with alerts, possibly causing them to ignore valid warnings from the tool.

If companies are affected by the 3CX incident and have installed the malicious version of the VoIP client: They must treat this as an incident. They must not simply remove the VoIP client, carry on as before and pretend that nothing happened. The attackers had access to their systems. This access may have lasted several days. They could install more malware, change configurations and steal data. IT security teams need to not only check for the absence of published signs of compromise, but validate the configuration of each affected system and check network logs for possible data exfiltration or other suspicious connections.

More information was prepared in this podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8432

Related Articles

Smart Cities market predicted to top $1,100 billion by 2028

Smart Cities market predicted to top $1,100 billion by 2028

The adoption of smart cities has witnessed a remarkable surge in recent years, driven by advancements in technology, growing urbanisation, and increasing recognition of the benefits of smart solutions.  This market is, according to the latest research from...

One year of Cell Broadcast in Baden-Württemberg

One year of Cell Broadcast in Baden-Württemberg

Minister Thomas Strobl: "The last 12 months have shown that cell broadcasting enables us to reach a large number of people quickly and easily in an emergency" "In the event of imminent danger or damage, it is crucial that we warn the population and give people...

Share This