Product Troubleshooting Common topics

Size of the hive.db file under the HiveRoot folder is large and keeps growing on the Windows endpoint client
Can the Elements Business accounts and accesses to the different portals be combined?
Guide to WithSecure Ideas for New Community Users
Obtaining Entra ID User Count for Pricing and User Account Allocation
Why is F-Secure application incompatible with WithSecure Elements Agent or Business Suite Client Security?
Why is F-Secure application incompatible with WithSecure Elements Agent or Business Suite Client Security?
Why does RDP connection not work when Application Control rules are active on a Windows server 2022?
DeepGuard prevented an untrusted application from modifying another process
How to add a user to the Partner Portal for e-Ordering and etc?
Getting an error of "Your login to WithSecure™ Partner Portal failed." when logging into Partner Portal

Compromised 3CX desktop app in a supply chain attack

Trojanized versions of the 3CX desktop app (VOIP) are being used in an ongoing supply chain attack.

Working with other researchers in the industry, WithSecure Threat Intelligence were able to ascertain that it was almost certain that later versions of 3CX's desktop VOIP application had been compromised by an actor prior to the build process, resulting in poisoned, yet trusted, installer files being pushed to customers.

The attack impacts a 3CX VOIP application and affects organizations all over the world. WithSecure Intelligence researchers have observed affected organizations in several different countries, including but not limited to France, Germany, the Netherlands, the UK, and the US.

The attack has been ongoing since early February. According to telemetry analyzed by WithSecure Intelligence, a compromised version of the macOS-based installer was seen in early Feb 2023, while Windows-based installers were seen trending in mid-March 2023.

What WithSecure can do to help customers

Our various solutions can help mitigate and detect issues with the 3CX Desktop App security incident.

WithSecure™ Elements Endpoint Detection and Response and WithSecure™ Countercept Managed Detection and Response detect the trojanized versions of the application and subsequent DLLs, and it will generate detections which the Security Administrator can act on.

EDR detections to look at:

• 3cx Malicious Module Loaded

• Malicious Module by ORSP

Use Event Search with following queries:

"Loaded Module SHA-1" equals

bf939c9c261d27ee7bb92325cc588624fca75429

188754814b37927badc988b45b7c7f7d6b4c8dd3

20d554a80d759c50d6537dd7097fed84dd258b3e

WithSecure Endpoint Protection solutions can also detect activity related to this:

EPP detections to monitor:

• Trojan:W32/MalPayload.C

• Tojan:W32/Agent.DWJC

• Trojan:W32/Agent.DWJD

• Trojan:W32/Agent.DWJE

• Trojan:MacOS/Ictag.*

Remediation

Uninstall the following affected version of 3CX Desktop App

• '18.12.407' - Windows

• '18.12.416' - Windows

• '18.11.1213'- MAC

• '18.12.416'- MAC

WithSecure Endpoint Protection will flag and quarantine the malicious applications and DLLs. Upon detections it is recommended for users to uninstall the application manually.

Optional Patch Recommendation

WithSecure Intelligence researchers have analyzed the malicious DLLs and discovered that some of the files contain modified signature blob value. This allows the modified DLL to be shown as signed in Windows. Threat actors have achieved this by exploiting a known vulnerability CVE-2013-3900.

In addition to the provided mitigation and remediation steps, it is recommended to install the optional patch available for this vulnerability:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

IOCs

Malicious DLLs sideloaded by 3CXDesktopApp.exe:

7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896, ffmpeg.dll

c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02, ffmpeg.dll

11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03, d3dcompiler_47.dll

Windows Installer:

59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983, 3cxdesktopapp-18.12.416.msi

aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868, 3cxdesktopapp-18.12.407.msi

Windows App:

fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405, 3CXDesktopApp.exe

dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc, 3CXDesktopApp.exe

MACOS App:

92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61, 3CX Desktop App

b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb, 3CX Desktop App

MACOS Installer:

5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290, 3CXDesktopApp-18.11.1213.dmg

e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec, 3cxdesktopapp-latest.dmg

Malicious MACOS DLLs:

fee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7,libffmpeg.dylib

a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67,libffmpeg.dylib

Compromised versions:

'18.12.407' - Windows

'18.12.416' - Windows

'18.11.1213' - MAC

'18.12.416' - MAC

WHOIS records for related domains:

cliego.garcia@proton[.]me

philip.je@proton[.]me

Domains:

akamaitechcloudservices[.]com

azuredeploystore[.]com

azureonlinecloud[.]com

azureonlinestorage[.]com

dunamistrd[.]com

glcloudservice[.]com

journalide[.]org

msedgepackageinfo[.]com

msstorageazure[.]com

msstorageboxes[.]com

officeaddons[.]com

officestoragebox[.]com

pbxcloudeservices[.]com

pbxphonenetwork[.]com

pbxsources[.]com

qwepoi123098[.]com

visualstudiofactory[.]com

sourceslabs[.]com

zacharryblogs[.]com

msedgeupdate[.]net

azureonlinestorage[.]com

sbmsa[.]wiki