3CX releases new Electron app for desktop after previous supply chain attack
VoIP maker 3CX has released a new version of its desktop software. It is the first major release of the tool since it was found to carry out a serious supply chain attack last month. The tool has been vetted by security company Mandiant.
3CX writes in a blog post that it has created a new Electron app that can be installed on the desktop. That app has build number 18.12.424, a different naming convention than was used before. According to 3CX, this has to do with new certificates that had to be issued for the tool.
The company does prefer that customers use the progressive web app in the browser. This has advantages for users, says 3CX, such as that there is no longer any reason to log in extra, but security also plays a role; the web app does not suffer from the security issues that the earlier app had.
3CX says the new Electron app is available for Windows and macOS. Users are advised to first update the servers on which the app runs to the new version. This happens automatically for Hosted and StartUP administrators. For them, the Electron wrapper is also installed directly.
The new software is the tool’s first major update since last week. It then emerged that attackers were misusing the desktop client to distribute malware via a supply chain attack. According to the company, this was done via a library that came with the tool, but details are not yet known. The malware made it possible to listen in on conversations and voicemail messages. 3CX is a VoIP provider with customers such as McDonald’s and Coca-Cola, as well as the UK healthcare sector.
Shortly after the attack, 3CX already advised users to mainly use the web app. The Electron app has been verified by security company Mandiant. That claims to have found ‘no evidence of infection’.
Multiple users write on the 3CX forum that the tool is flagged by their virus scanner or by Chrome. According to 3CX, this is a false positive report. “Some 3CX domains have been flagged by Google due to the previous version of the desktop app. We have reached out to Google to review those domains,” the company writes.