3CX Desktop App Supply Chain Attack

We run the 3CX VOIP PBX along with the various desktop, mobile, and web applications.

Recently there has been a major malware infestation with 3CX's desktop clients latest version and updates.

Luckily I have yet to upgrade to the malware infested versions, but I'm curious if I had, would my Total Security Subscriptons and EDR have caught the malware before it could infect my systems?

This assumes I have used best practices in the configuration and implementation of these services.

I'm fairly certain the answer is "of course, we're Watchguard!", but since I haven't seen any news on Watchguard being able to neutralize this threat as other security vendors have posted, I was just wondering.


It's usually something simple.


  • Options
    George_GrinnellGeorge_Grinnell WatchGuard Representative
    edited March 2023

    Hello, please review the secplicity blog post regarding 3CX, as WatchGuard learns more we will update the article. As noted in the article EDR, EPDR are effective for detection from 0 day. https://www.secplicity.org/2023/03/30/3cx-supply-chain-attack/

    George Grinnell
    WatchGuard Representative

  • Options

    hi @shaazaminator

    the answer is no it wouldn't. I can say that because AFAIK the EDR is a rebadged Panda AD360 which Watchguard purchased.

    We have this installed on every PC and Server in the place along with a Watchguard Firewall. Did not detect the installation and running of the supply chain attack infected executable nor did it initially detect its behaviour.

    I had to contact and raise a support ticket which prompted the changes. It now detects and removes the executable but EDR and its IOA dashboard didn't show anything even after that.

    When I tried to leave a comment on the article linked to in the official reply stating this it was not approved by the moderator. It is likely this reply will also be removed.

  • Options

    See this:
    3CX Supply Chain Attack

    "If you are a WatchGuard Endpoint customer, you are protected."

  • Options

    @Bruce_Briggs That's what they said in the article and when I tried to leave a comment to say that wasn't my experience the moderator decided it wasn't for publication.

  • Options
    edited April 2023

    Odd that the WG published article still seems to be wrong at this point.

  • Options

    @Bruce_Briggs I don't think it is wrong now, it was wrong to state they detected and prevented initially. That was misleading to say the least.

  • Options

    I am currently running post infection scans with third party Thor lite which gave 3CX customers a YARA like scanner for free till the end of the month. We are seeing possible Meterpreter "ReflectiveLoader" attack and I am trying to get Watchguard to clarify if we are protected or not. Initial response is Thor isn't our product go ask them for help. Not very helpful.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @NickDaGeek
    The only posts we remove are the ones against the TOS for the community. In general I will also remove posts that aren't constructive (e.g., "thing is awful" with no details, but I will generally attempt to get more information from the customer when that happens.) If possible, I will try to edit things like personally identifiable information out of posts rather than simply deleting them. I always leave a comment in the post saying this was done.

    The Secplicity blog does sometimes moderate comments, but this is generally (again) due to SPAM. I'll check in with that team to see if something might be wrong with their comment system.

    -James Carson
    WatchGuard Customer Support

  • Options

    @james.carson Thank you, I just tried to post on that blog that Mandiant has reported that 3CX supply chain attack was a first of its kind in that they had themselves been the victim of a supply chain attack first, that seems to be still awaiting moderation as well.

Sign In to comment.