WHAT HAPPENED?

Earlier this week it was confirmed that a major software supply chain attack took place involving 3CX’s VoIP system. The desktop application was hijacked to deliver malicious code via an update file, potentially affecting over 600,000 organisations.

While we have no affiliation with the 3CX solutions, we are actively monitoring the incident to support our customers and protect ourselves. This incident is still in the forensic stage, the end-goal of this attack is still being determined.

What we do know at this point is our products and solutions have not been affected. But we appreciate this will be an incredibly stressful experience for any users who have been affected.

We want to ensure that every organisation can stay safe and avoid the damage that can be caused from cyberattacks like these, so please read on for our step guidance on what to do if you are affected.

 

WHAT SHOULD I DO?

If you or your organisation are users of the 3CX phone system, assume you have been compromised.

We have assessed the incident and advise you follow the remedial actions below as soon as possible.

 

RECOMMENDED ACTIONS FOR USER DEVICES

Electron App (as advised by 3CX)

  • Uninstall the Electron App for Mac or Windows (check the 3CX website for further instructions)
  • Use the web app "PWA" (Progressive Web App) instead of the Electron App (again, more information can be found on the 3CX website)
  • Avoid using the Electron App unless there is absolutely no alternative

REMEDIATION

  • Have you been saving your passwords in your browser? If so, you should remove them and change them in the relevant apps, we recommend using a password manager instead
  • End all browser sessions in progress and ensure they have closed fully
  • Run an antivirus scan on every machine on which the Electron App was installed

ISOLATION

  • If you see symptoms of a cyberattack, isolate any affected machine from the internet
  • Disconnect the cable between each machine and your network/router or disable the WiFi on the machine (note:  whilst their machine is isolated, the user will no longer be able to make/receive any calls via the 3CX PBX)

Evidence Retention

Do not switch off any infected machine as this may remove evidence needed to analyse an attack and take remediation action.

 

RECOMMENDED ACTIONS FOR SELF-HOSTED AND ON-PREMISES SERVICES ONLY

3CX has advised that if you are running 3CX on a self-hosted or on-premises server, ensure it has the latest update installed, check their website for more information.

If you need urgent assistance to deal with a cyberattack, contact the Check Point Incident Response Service. You do not be an existing customer and will not be charged for the first hour of triage.

 

Phone number: 0-800-088-5471

(Visit the Check Point Incident Response page for other numbers)

Email: emergency-response@checkpoint.com

If you would like to speak to us directly, please get in touch via the link below for a no strings attached call to discuss your security framework.

Request a call back