31 March 2023

The 3CX Desktop App - Supply Chain Attack

Cybersecurity experts have uncovered a supply chain attack on the 3CX DesktopApp, causing concerns in the security community. The 3CX Desktop App is a softphone application businesses use to make and receive calls on their computers or mobile devices. This attack is similar to the SolarWinds incident, where malicious code was introduced into a software update of a legitimate product used by several organizations, causing widespread damage.

With the world moving towards web-based applications, businesses are shifting away from traditional app-based solutions. The recent 3CX DesktopApp supply chain attack is a clear sign that businesses must prioritise web-based solutions to ensure their data and infrastructure are safe from malicious activity. This attack has raised concerns in the security community, and businesses must take action to protect their networks and devices.

In this blog, we will explore the 3CX DesktopApp supply chain attack, what it means for your business, and how to mitigate the risk of being compromised.

Section 1: What is 3CX?

3CX is a phone system for businesses that allows you to make and receive calls using the internet instead of traditional phone lines. It's software-based, which means it runs on your computer or mobile device instead of requiring expensive hardware like a traditional PBX phone system. This can save you money and provide more flexibility in how you use your phone system. Over 600,000 customers use it in 190 countries, including well-known names like American Express, BMW, Honda, Ikea, Pepsi, and Toyota.

Section 2: The Supply Chain Attack

The 3CX Desktop App has been infected with harmful software that can be used to steal important information from your computer or mobile device. This harmful software is called a Trojan, and it is the first part of a series of attacks that can take over your device and steal your data. This type of attack is known as a supply chain attack, where hackers compromise a trusted vendor to gain access to their customers. The attack has been ongoing for a while, and it was discovered around March 22, 2023. Cybersecurity experts are tracking the activity of the attackers and have named it Smooth Operator.

Section 3: What This Means for You

The 3CX Desktop App attack is a supply chain attack, meaning that the threat actors compromise a trusted vendor to gain access to their customers. In this case, the 3CX Desktop App was found to have malicious code within the software, enabling it to make calls to threat-actor-controlled infrastructure, deploy second-stage payloads, and exhibit hands-on keyboard activity. This activity poses a significant threat to businesses and organizations that use this software, potentially compromising sensitive information and leading to significant financial and reputational damage. Suppose your organization uses the 3CX Desktop App. In that case, taking immediate action to protect your network and devices is crucial by implementing mitigation steps recommended by security organizations and staying current on the latest security threats.

Section 4: Mitigation Steps to Try

For customers using the 3CX DesktopApp, you can take several mitigation steps to protect your network and devices. One recommended step is implementing allow listing, which explicitly blocks known malicious files from executing. If your organization has allowed listing capabilities, like Airlock Digital, Rhipe, a cloud solutions and services distributor, has provided the following mitigation steps for customers with 3CX running. You can take the following actions, according to rhipe (2023):

To block by hash:

Add the application hash for the known compromised version of the software and the installer to prevent the file from executing (see table below).

In Airlock, go to Blocklists and right-click on Blocklists, then Select "Create Blocklist Package".

Name the package "3CX DesktopApp".

Right-click on the newly created package and select "Import Hashes".

Paste all the hashes from the table below into the pop-up box and select "Extract Hashes".

Select "Bulk Add", then select "Add selected to Blocklist Package", and click "OK"

Block by file name: Adding the filename 3CXDesktopApp.exe using a metadata type block rule.

In the same blocklist package created in the previous step, expand Blocklist Metadata Rules > right click add new rule > select Operating system > Add Criteria > Select Original Filename and type 3CXDesktopApp and save.

Do this for each OSType in your organisation.


Once completed, approve the blocklist at the root of your policy folder by selecting policies > expanding Blocklists > right-click Enable (Enforced).

File Details 

SHA256Operating SystemInstaller SHA256File Name

At Databox Solutions, we offer VoipExpress, a reliable and up-to-date product that comes with additional security measures like data encryption and network security. If you have any questions about the 3CX DesktopApp supply chain attack or the information provided, please contact your Partner Account Manager.

Section 5: How We Can Help

At Databox Solutions, we understand the importance of staying ahead of the curve regarding technology. That's why we offer VoipExpress, a web-based solution that provides an affordable and customizable VoIP phone system for your business needs. With web-based solutions like VoipExpress, businesses can stay protected from supply chain attacks like the recent 3CX DesktopApp attack, as web-based systems are generally more secure and have greater flexibility to implement security measures.

VoIP Express offers a web-based phone system not limited to one device, allowing you to work from anywhere and stay connected to your customers and colleagues. VoIP Express can enhance communication channels and streamline business operations with a wide range of features and capabilities, such as call forwarding, voicemail, video conferencing, and SMS/MMS messaging. In addition, VoIP Express provides a cost-effective solution compatible with various devices and integrates with other business systems and software to enhance their functionality. With a strong emphasis on after-sale care and customer satisfaction, VoIP Express is dedicated to finding the right phone system for your business needs. Join VoIP Express today and experience a web-based phone system's flexibility, features, and cost-effectiveness.

If you have concerns about the 3CX Desktop App supply chain attack or want to learn more about how VoIP Express can benefit your organization, don't hesitate to contact your Partner Account Manager. Our team is here to help you stay informed and protected against any potential threats, so you can focus on what really matters - growing your business.


The 3CX DesktopApp supply chain attack is a serious threat to businesses. Still, with the right tools and mitigation steps, such as allowing listing and switching to VoipExpress from Databox Solutions, you can minimize the risk and protect your organization. Remember to stay vigilant and updated on the latest security threats to keep your business safe.