VoIP software vendor 3CX will soon implement a forced security upgrade of its progressive web application (PWA) client. This is in response to a recent security incident.

The forced upgrade of the PWA client should bring more security to the client. In the near future, the desktop application will also receive an update.

New features in the upgraded PWA client include a “Busy Lamp Field”. This is the software version of LED lights that turn on on physical phones when a line is busy.

Additionally, all passwords are now hashed into the system. Before this, they were still stored in plaintext. Password hashing only applies to the web client. The passwords for SIP auth ID and password, SIP trunk, gateways or tunnels will not be hashed for now.

Other measures

Other measures mean that passwords will no longer be included in welcome emails for new users. IP access to the Management Console is also more restricted. This is now also configurable for system administrators who have access to the management section in the Web client.

The forced update to the PWA client will be released next week in alpha and beta. The final release is expected to roll out a week later.

3CX hack

3CX was hit by an intrusion and supply-chain attack in late March. According to research by Mandiant, North Korean state hackers were likely responsible.

The TAXHAUL (AKA “TxRLoader”) malware used affected 3CX software components working with command and control infrastructure, among other things. Ultimately, the attack yielded a haul of stolen passwords and other login credentials.

Tip: How do the RagnarLocker cybercriminals operate?