On March 22nd(ish), 3CX released an update for their PBX (v18 U7) which contained malware. Below is a breakdown of what we know so far, in a very short and concise manner. It is not the goal of this post to talk about the hack (which is a very bad name for what happened), but rather to discuss how 3CX handled it.
The update contained new version of the 3CX Desktop App – these apps are Electron based and contain a file ffmpeg.dll that was infected. Anyone who installed the new version of 3CX Desktop App (available for Mac and Windows) installed malware.
Additionally, an older version of the Mac 3CX Desktop App included in v18 U6 was infected as well.
The Report:
On March 22nd a user posted to the 3CX forums saying that Sentinel One, a very high end and slightly over protective NGAV, was detecting malware in 3CX Desktop App. This report went unanswered for quite some time by 3CX and many other users chimed in advising it may be a false positive and to whitelist it. Eventually a single 3CX employee on March 28th chimed in stating they couldn’t test every single AV and the user should reach out to the AV manufacturer.
If you use SentinelOne and have this issue, it’s best to contact them directly to provide you with feedback on why they remove the app.
Followed by this post:
Hi skuers,
While that would sound ideal, there’s hundreds if not thousands of AV solutions out there and we can’t always reach out to them whenever an event occurs. We use the Electron framework for our app, perhaps they are blocking some if its functionality?
As you probably understand, we have no control over their software and the decisions it makes so it’s not exactly our place to comment on it. I think in this case at least, it makes more sense if the SentinelOne customers contact their security software provider and see why this happens. Feel free to post your findings here if you get a reply.
The Infection Is Confirmed:
Shortly thereafter, on March 29th, Crowdstrike (another very good NGAV) blew the doors on this infection wide open. They confirmed it was infected and how, releasing a ton of details to help the security community at large.
3CX’s response:
Once Crowdstrike released the details, 3CX went silent at first. Not a single reply, email, blog post, or anything else was released for many hours. Users were left scrambling trying to pick up the pieces and find out the next steps.
Finally, many hours later, 3CX would advise removing the apps, scanning with your AV of choice, and working with Nextron to release a THOR “lite” scanner. I’ll leave the long details out, because the key piece is the response. It was ignored for days, it took many hours later before a single thing was posted (not even a “we’re looking into this”), it blamed a third party (claimed ffmpeg was compromised upstream but ffmpeg does not distribute compiled binaries), and overall was a prime example of how NOT to respond to a security incident.
While I’ve worked very hard to keep this website about 3CX’s reply, I will state the facts, as they are know at this time, for those who stumble on this website.
Provided you are NOT running 3CX Desktop App on Mac or Windows with the following version you should be safe from the infection
Windows: 18.12.407 & 18.12.416
Mac: 18.11.1213 & 18.12.402 & 18.12.407 & 18.12.416
Leave a Reply