Skip links

3CX teases security-focused client update, plus password hashing

The CEO of VoIP software provider 3CX has teased the imminent release of a security-focused upgrade to the company’s progressive web application client.

“Following our Security Incident we’ve decided to make an update focusing entirely on security,” CEO Nick Galea wrote on Monday.

In case you missed it, that incident was a late March supply chain attack that saw the company’s Windows Electron desktop app compromised by malware.

Galea said Alpha and Beta releases of the updated client will debut in the week of April 17th, with full release to follow in the week of the 24th.

The first feature Galea mentioned will come to 3CX’s progressive web application (PWA), which will gain a Busy Lamp Field, an in-software version of the LED that lights up on physical phones to indicate if an extension is busy.

Galea then states “All users that use a deskphone or an Android/iOS app for the actual calling should use the PWA client, and recommends its use whenever possible despite a future update to the company’s desktop app.

His post then starts to discuss security, with news that “In this update all web passwords are hashed in the system.”

“It doesn’t mean they were completely insecure before. You still needed admin rights to access them. But it’s not good practice and it’s been the subject of CVE-2021-45491.”

The abovementioned CVE was published on March 17th, 2023, and described the fact that passwords for 3CX were stored as plaintext.

“The hashing of passwords applies to the Web Client login only,” Galea explained. “For backward compatibility reasons, we will not hash SIP auth ID and password, SIP trunk and gateway passwords or the tunnel passwords. If hacked these credentials can only be used to get calling access to the PBX. These user credentials cannot be elevated to login to the PBX. In future builds we will hash these passwords also.”

Another change will see passwords excluded from welcome mails sent to new users.

“The Welcome email used to have the Web Client password as well as the config file for the old style configuration of the app,” Galea wrote. “We’re now removing this from the Welcome email.”

Another incoming change will add to the current ability to limit access by IP for the Management Console. “Now you can also do this for System Admins that have access to the Admin section in the Web Client,” Galea wrote.

North Korean fingerprints all over it

Also on Monday, 3CX CISO Pierre Jourdan published initial results of Mandiant’s investigation into the supply chain on the VoIP vendor’s software.

“Based on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far, they attribute the activity to a cluster named UNC4736. Mandiant assesses with high confidence that UNC4736 has a North Korean nexus,” Jourdan wrote.

“Mandiant determined that the attacker infected targeted 3CX systems with TAXHAUL (AKA “TxRLoader”) malware,” he added.

“On Windows, the attacker used DLL side-loading to achieve persistence for TAXHAUL malware. DLL side-loading triggered infected systems to execute the attacker’s malware within the context of legitimate Microsoft Windows binaries, reducing the likelihood of malware detection. The persistence mechanism also ensures the attacker malware is loaded at system start-up, enabling the attacker to retain remote access to the infected system over the internet.”

Mandiant has also spotted what Jourdan described as “a MacOS backdoor, currently named SIMPLESEA, located at /Library/Graphics/Quartz (MD5: d9d19abffc2c7dac11a16745f4aea44f).” Mandiant is unsure if SIMPLESEA is related to other malware families.

The malware that infected 3CX’s wares communicates with command and control infrastructure that uses URLS including “azureonlinecloud”, “akamaicontainer” and “msboxonline”. The Register tried pinging them all – only returned a packet.

The Register understands that 3CX intends to offer a detailed account of the supply chain attack. We await it with interest. ®