3CX Knew Its App Was Being Flagged By AV Platforms, Did Very Little During Supply Chain Attack
If you don’t use the 3CX VoIP platform, or work in the MSP space with companies that do, you may have missed the news that the company suffered a massive supply chain attack over the past few days. With comparisons being made to the SolarWinds fiasco, this was really, really bad. Unsuspecting clients of 3CX had Windows and Mac versions of the app to hundreds of thousands of customers deployed on their computers with malware snuck inside. That malware called out to actor-controlled servers, which then deployed more malware designed to allow for everything from browser hijacking to remote-takeover of the computer entirely. A hacking group associated with the North Korean government is suspected to be behind all of this.
Security firm CrowdStrike said the infrastructure and an encryption key used in the attack match those seen in a March 7 campaign carried out by Labyrinth Chollima, the tracking name for a threat actor aligned with the North Korean government.
The attack came to light late on Wednesday, when products from various security companies began detecting malicious activity coming from legitimately signed binaries for 3CX desktop apps. Preparations for the sophisticated operation began no later than February 2022, when the threat actor registered a sprawling set of domains used to communicate with infected devices. By March 22, security firm Sentinel One saw a spike in behavioral detections of the 3CXDesktopApp. That same day, 3CX users started online threads discussing what they believed were potential false-positive detections of 3CXDesktopApp by their endpoint security apps.
Here’s the problem with that last paragraph: the detections for the malicious code actually began before Wednesday, March 29th. In an updated ArsTechnica post, it turns out that customers were noting that some AV agents were flagging the 3CX installer and app going all the way back to March 22nd, a week earlier. And these customers were noting this on 3CX’s own community forums.
“Is anyone else seeing this issue with other A/V vendors?” one company customer asked on March 22, in a post titled “Threat alerts from SentinelOne for desktop update initiated from desktop client.” The customer was referring to an endpoint malware detection product from security firm SentinelOne. Included in the post were some of SentinelOne’s suspicions: the detection of shellcode, code injection to other process memory space, and other trademarks of software exploitation.
Others were, in fact, seeing the same thing. These customers were busy writing exceptions for the application, figuring that a signed/trusted app from the manufacturer itself was likely resulting in a false negative. Other users followed suit. 3CX remained silent until Tuesday, March 28th.
A few minutes later, a member of the 3CX support team joined in the discussion for the first time, recommending that customers contact SentinelOne since it was that company’s software triggering the warning. Another customer pushed back in response, writing:
Hmmm… the more people using both 3CX and SentinelOne get the same problem. Wouldn’t it be nice if you from 3CX would contact SentinelOne and figure out if this is a false positive or not? – From provider to provider – so at the end, you and the community would know if it is still save and sound?
This is, of course, precisely what should have happened. Instead, the 3CX rep said there were too many AV providers to go out there and call them all. Then he or she mentioned that they don’t control the antivirus software, but instructed the user to “feel free to post your findings” once they had called SentinelOne themselves.
Those findings were on display for everyone the following day when the attack and compromise of 3CX became very, very public.
You really would think that after SolarWinds first and Kaseya second, tech companies would know better than to ignore this sort of thing and actually talk to the security firms that are flagging their products.