Thursday, March 30, 2023

3CX's Silence about the Supply Chain Attack is not new for the Tech World

As much as I'd prefer my first professional blog post to be something more... personal, I suppose, last night's 3CX Vulnerability reveal is the most recent of many known cybersecurity issues that get very little attention paid onto them until other media resources start talking about it, then it is all hands on deck. Except, not really. Allow me to explain. 

Before I go too deep into this, I want to start off by saying that I'm going to be referencing the article that tipped off to an issue last night before stream, a whole 12 hours before 3CX would make a statement, written by BleepingComputer. The article does a fantastic job of explaining what happened, but for those who are curious, here's a short and sweet version:

  • 3CX, a Voice-over Internet Protocol (VoIP) phone company's desktop client was compromised via its GIT repository, in which threat actors injected malicious registry-editing code to 'beacon' back to retrieve the payload.
  • Should the payload run, it would harvest system info, including stored credentials from Chrome, Edge, Brave, and Firefox User profiles, then attempt to connect back to deliver the stolen information. 

Here's the fun part about all of this, certain Anti-Virus (AV) systems were already detecting that something wasn't right as of MONDAY.  In fact, some were even doing as they should have and began wiping the 3CX installation from running, so you would think at some point, 3CX would have made a proper statement, right? 

... RIGHT?

Well, they sort of did. As more and more users came pouring into the 3CX support pages, we get this THRILLING bit of information from someone (who probably doesn't have a job anymore) on the support team. Ahem: 

    "While [contacting the AV softwares] sounds ideal, there's hundreds if not thousands of AV solutions out there and we can't always reach out to them whenever an event occurs. ... it makes more sense if the SentinelOne {AV in question} customers contact their security provider and see why this happens. Feel free to post your findings here if you get a reply." - JohnS_3CX

 God, I'd hate to be them right now. And I'm sure it doesn't take a System Administrator to see why this was the absolute worst answer you could've given to a bunch of concerned individuals. In fact, a Gold Partner SweetAction came in to add this great nugget of information after people raised concern about whitelisting the application:

"...the executable is signed by the trusted vendor and the vendor has stated multiple times that you should bring it up with the AV vendor... What does IT do when a business app is being flagged by AV and all indications are that it's a false positive?" But hey, at least you can reach out to their company to have them give your data away. They're great for HOTELS, SCHOOLS, AND MULTI-SITE LOCATIONS. Hell, THEY'RE THEIR SPECIALTIES

But you know what the cherry on top is, dear reader? Even the CEO, the CEO of 3CX himself, Nick Galea came out on one of these forum threads and says the following,

"... I don't even know why we promote both and we will review this." 

Mind you that this is in reference to why they have the Desktop version and the PWA (Phone Web App) version. So, not only did they not respond in the way that they should've, but they really hit us with the "Damn I'unno lmao" response too. But, this isn't the first time we've seen something like this, and quite honestly, this won't be the last time we see it either. Allow me to explain. 

See, as someone who has written Disaster Recovery (DR) plans and has implemented them across different locations, this is a pretty common thing to do at first - you keep your mouth shut to the public as long as possible about really happened. Then, once you have a good grasp on the situation, you can then make a public announcement with a plan of attack, remediation options, etc. 

HOWEVER...

It should have never escalated to the level that it did, with the severity of what happened behind it, with as minimal as a response that it got. This was a known issue, something that multiple AV systems were screaming about for almost a week, and thanks to a lack of communication about it, hell, even chalking this up to false positives of all things, was an absolutely terrible way to come about it. Add onto the fact that there has yet to be an official email or anything of the sort to let users know that something to this magnitude has happened, and yeah, I can easily foresee 3CX losing customers. 

Anyway, the phone's ringing, you going to answer it?

No comments:

Post a Comment

The Joy of Creating

The Joy of Creating So, I recently played The Beginner's Guide And if you haven't heard of it, it's a fant...