02 April 2023

TechDirt Almost an Entire Week > Go/Read more

 

3CX Knew Its App Was Being Flagged By AV Platforms, Did Very Little During Supply Chain Attack

from the whoops dept

"If you don’t use the 3CX VoIP platform, or work in the MSP space with companies that do, you may have missed the news that the company suffered a massive supply chain attack over the past few days. With comparisons being made to the SolarWinds fiasco, this was really, really bad. Unsuspecting clients of 3CX had Windows and Mac versions of the app to hundreds of thousands of customers deployed on their computers with malware snuck inside. That malware called out to actor-controlled servers, which then deployed more malware designed to allow for everything from browser hijacking to remote-takeover of the computer entirely. A hacking group associated with the North Korean government is suspected to be behind all of this.


Security firm CrowdStrike said the infrastructure and an encryption key used in the attack match those seen in a March 7 campaign carried out by Labyrinth Chollima, the tracking name for a threat actor aligned with the North Korean government.

The attack came to light late on Wednesday, when products from various security companies began detecting malicious activity coming from legitimately signed binaries for 3CX desktop apps. Preparations for the sophisticated operation began no later than February 2022, when the threat actor registered a sprawling set of domains used to communicate with infected devices. By March 22, security firm Sentinel One saw a spike in behavioral detections of the 3CXDesktopApp. That same day, 3CX users started online threads discussing what they believed were potential false-positive detections of 3CXDesktopApp by their endpoint security apps.

Here’s the problem with that last paragraph: the detections for the malicious code actually began before Wednesday, March 29th. In an updated ArsTechnica post, it turns out that customers were noting that some AV agents were flagging the 3CX installer and app going all the way back to March 22nd, a week earlier. And these customers were noting this on 3CX’s own community forums.

“Is anyone else seeing this issue with other A/V vendors?” one company customer asked on March 22, in a post titled “Threat alerts from SentinelOne for desktop update initiated from desktop client.” The customer was referring to an endpoint malware detection product from security firm SentinelOne. Included in the post were some of SentinelOne’s suspicions: the detection of shellcode, code injection to other process memory space, and other trademarks of software exploitation.

 


Others were, in fact, seeing the same thing. These customers were busy writing exceptions for the application, figuring that a signed/trusted app from the manufacturer itself was likely resulting in a false negative. Other users followed suit. 3CX remained silent until Tuesday, March 28th.

A few minutes later, a member of the 3CX support team joined in the discussion for the first time, recommending that customers contact SentinelOne since it was that company’s software triggering the warning. Another customer pushed back in response, writing:

Hmmm… the more people using both 3CX and SentinelOne get the same problem. Wouldn’t it be nice if you from 3CX would contact SentinelOne and figure out if this is a false positive or not? – From provider to provider – so at the end, you and the community would know if it is still save and sound?

This is, of course, precisely what should have happened. Instead, the 3CX rep said there were too many AV providers to go out there and call them all. Then he or she mentioned that they don’t control the antivirus software, but instructed the user to “feel free to post your findings” once they had called SentinelOne themselves.

Those findings were on display for everyone the following day when the attack and compromise of 3CX became very, very public.


 

You really would think that after SolarWinds first and Kaseya second, tech companies would know better than to ignore this sort of thing and actually talk to the security firms that are flagging their products."

Filed Under: , , ,
Companies: 3cx

 RELATED CONTENT

4 days ago · A trojanized version of 3CX VoIP desktop app is capable of stealing data from browsers, researchers claim.


Chicago
 
OLDER STUFF
20:05 MLB Tries To Trademark 3 City Names, Runs Away After Law Profs School Them (16)
15:42 Cryptographer Tells European ISPs How EU's Client-Side Scanning Proposal Will Make Everyone Less Safe (10)
12:36 Colorado Eyes Killing State Law Prohibiting Community Broadband Networks (9)
10:49 Senator Warner's RESTRICT Act Is Designed To Create The Great Firewall Of America (58)
10:44 Daily Deal: The Ultimate Advanced Cybersecurity Bundle (0)
09:27 Appeals Court Reverses Awful Decision Finding That Holding Up A Sign Telling Drivers There Are Cops Ahead Is Not Free Speech (19)
05:29 Dish Network Is Still A Hot Mess With 14 Hour Hold Times A Month After Major Cyberattack (11)
20:27 Fifth Circuit Finally Finds A Cop Unworthy Of Immunity, Strips Protection From Officer Who Shot Man Five Times During Routine Traffic Stop (20)
15:31 Elon's Definition Of 'Free Speech Absolutist' Allows Censorship In India, That Twitter Used To Fight (72)
13:29 The Dirty Secret Behind Porn Filtering Laws? Content Filtering Doesn't Work. (48)
12:15 Winnie The Pooh Escapes Copyright Hell, Grabs Some Weapons, And Immediately Gets Kicked Out Of Hong Kong (19)
10:39 As The Social Media Moral Panic Continues, People Keep Highlighting How Much Value It Actually Provides (14)
10:36 Daily Deal: The All-In-One Hardcore Unity Game Developer Bundle With Xbox Ultimate 1-Month Game Pass (0)
09:27 Deputies Who Raided Afroman's House Sue Him For Daring To Turn Footage Of The Raid Into A Viral Video (35)
05:32 Biden FCC Makes Some Empty Noise About Cracking Down On Bullshit Cable & Broadband Fees (5)
20:18 Microsoft Yanked Forthcoming Game's PlayStation Port To Make It Exclusive (29)
15:15 US And EU Nations Request The Most User Data From Tech Companies, Obtain It More Than Two-Thirds Of The Time (4)
13:30 Techdirt Podcast Episode 348: Sci-Fi & Silicon Valley (0)
12:08 Forget Shadow Banning, Now Elon Is Shadow Boosting Accounts He Likes, While Trying To Drive Away Users Who Won’t Pay (106)
10:46 In Internet Speech Cases, SCOTUS Should Stick Up For Reno v. ACLU (112)
10:43 Daily Deal: StackSkills Unlimited (0)
09:31 The Soft Corruption Of Link Tax Bills: Enriching The News Orgs Politicians Want To Endorse Them (10)
05:32 Consumers Aren't Buying Automaker Plans To Make Everything A Subscription (38)
19:57 Gamers Celebrate Their 'Loss' In Court Over Blocking Microsoft's Activision/Blizzard Acquisition (42)
15:37 Elon Musk Effectively Admits That He Set Fire To More Than Half Of Twitter’s Value (140)
13:35 Indian Government Cuts Off Internet Access To 27 Million Punjab Residents As It Continues Its Targeting Of Sikhs (10)
11:58 As Free Speech Enthusiast Elon Plans To Release Twitter’s Source Code, Twitter Desperately Seeking Identity Of FreeSpeechEnthusiast Who Leaked Twitter Source Code (41)
10:48 Greek Government Used Predator Spyware To Spend A Year Surveilling A US Citizen (3)
10:43 Daily Deal: Microsoft Office Pro 2021 (0)
09:36 Publishers Get One Step Closer To Killing Libraries (38)
More arrow

No comments:

Report: Ukraine Ministry of Finance

  Japan promises further aid package for Ukraine Foreign investors halve Ukraine's domestic bond portfolio, citizens and businesses incr...