Disclaimer: ARP20 focuses on bringing the news in clear, easy to follow language. For that purpose, this article brings a simplified version of events.
Definitions in this article
- SentinelOne and Crowdstrike: providers of security solutions.
- Malicious behaviour: When applications start to do something they’re not supposed to do
- Backdoor: A security term for an exploit that gives hackers access to a network or device
This week, alarm bells went off as the popular softphone app 3CX (which is used in combination with solutions like Sonos) started triggering security solutions. IT departments who scrambled to roll out a fix who decided to whitelist the application might have made a costly mistake.
First detected by SentinelOne and Crowdstrike, 3CX started triggering security solutions who in response started blocking the application. When this problem was brought to the developers of the 3CX app their advice was to “discuss this with the security vendors” which made it sound like a problem or false positive on their end.
However, a deeper analysis showed that SentinelOne and Crowdstrike were detecting malicious behavior. The application showed various signs of malware behavior, including running shells, trying to contact remote servers and trying to create a backdoor to the network.
A deep analysis of the application revealed that the app is the victim of a “supply chain attack”, which means that one of the suppliers or the tools of a supplier is compromised. In the case of the 3CX app, it appears that a software library used by 3CX was compromised by attackers. Software developers often use libraries created by other people in their applications to speed up development.
Both the Windows and MacOS version of the 3CX application are affected by the malware. No updated version of the software has been made available. Companies using the software that don’t have the proper tools in place to block the behavior of the application are recommended to immediately remove the application and perform a security audit.
Advisory
Companies were the 3CX app was successfully blocked should wait until a new version of the software is released. In the meanwhile, under no circumstances should the app be whitelisted.
For companies that do not have EDR in place, it is best to treat this as a security incident that requires an evaluation of their network to detect attacker activity. Uninstalling the application would be the best course of action but will not be sufficient as the attackers might have already gained access to the network.
The same advice applies to companies that have made the mistake of whitelisting the application. They should also be performing an audit of their network security and review their internal processes which lead to ignoring the security warnings.