Skip links

3CX decided supply chain attack indicator was a false positive after VirusTotal tests

The CEO of VoiP software provider 3CX said his team tested its products in response to recent alerts notifying it of a supply chain attack, but assessed reports of a malware infestation were a false positive.

Nick Galea told The Register by email that 3CX did not ignore alerts but rather “chose to double check our desktop app on VirusTotal and since it gave our app the all clear we considered the SentinelOne alert a false positive. It’s not unusual for VoIP apps. We checked again a few days later and got the same result.”

“We could only realize the extent of the breach after Crowdstrike gave us full details and then we immediately responded to the best of our abilities which by no means was Olympic medal standard,” added Galea, who conceded that responding to a supply chain attack is, well, rather hard.

SentinelOne detected unusual activity on March 22. Crowdstrike saw similar on March 29, and the same day Galea took to the company’s forums to address the issue. In between, many had wondered if 3CX – which boasts 12 million daily users and whose clients include Mercedes Benz, McDonald’s, BMW, Holiday Inn, the NHS, American Express, Coca-Cola and Air France – was going to issue a statement about the indicators of compromise to its products.

At the time, 3CX advised its clients to use its progressive web app (PWA) and ditch its desktop app – a hard ask for some as the former does not support hotkeys or replicate the busy lamp (BLF) used to indicate calls in progress on physical phone handsets. The firm said it was working to add those features to its web app.

“The PWA app is completely web based and does 95 percent of what the electron app does,” read a March 30 blog post.

In 3CX’s latest update, posted April 1, Galea skated over the response to SentinelOne’s reports, claiming 3CX took swift and appropriate action.

“On March 29, 3CX received reports from a third party of a malicious actor exploiting a vulnerability in our product. We took immediate steps to investigate the incident, retaining Mandiant, leading global cybersecurity experts,” argued the CEO.

Although Crowdstrike has already identified North Korea’s Lazarus-linked Labyrinth Chollima group as the most likely culprit, Galea declined to identify any leads and only stated that “the incident was carried out by a highly experienced and knowledgeable hacker.”

3CX said it is automatically extending customer subscriptions by three months free of charge.

The incident is the most prominent supply chain attack since 2020’s attack on SolarWinds software, also known as Sunburst, and 2021’s Kaseya attack. ®

Source