Many Customers May Reassess Using 3CX After Supply Chain Breach: Expert
All customers that use 3CX’s phone system ‘will and should engage in a new risk assessment of this vendor based on what’s happened,’ Sophos’ Christopher Budd tells CRN.
Following the supply chain breach of 3CX phone system software, which is sold exclusively by channel partners, customers should re-assess the risks of using 3CX products going forward, an expert from cybersecurity vendor Sophos told CRN.
Reports from researchers at Sophos and other security vendors since Wednesday have pointed to an active campaign using a compromised version of the 3CX Windows app to target the company’s customers.
The attack raises questions about the risks of continuing to use 3CX as a vendor — not only because it revealed severe issues in the company’s cyber defenses, but also because it’s unclear whether attackers may still have access to the 3CX supply chain and thus be able to infect future updates.
Ultimately, “everyone who is a customer will and should engage in a new risk assessment of this vendor — based on what’s happened, what information is released, what steps they’ve taken — and make a new risk-reward determination,” said Christopher Budd, senior manager of threat research at Sophos.
Doing this type of risk assessment based on security is also the right approach when it comes to any new product that is being considered for usage, Budd told CRN.
“You are relying on on the security and the quality of your vendor when you add them to your network,” he said. “People should be making a, ‘Do I trust this vendor?’ risk assessment every time they’re installing something new.”
How Did Hackers Get Access?
So far, while 3CX executives have acknowledged the attack and pledged to release a new version of the app soon, the company has not yet said how the attackers initially managed to get into its software supply chain.
Likewise, 3CX also has not provided assurances that the attackers no longer have access to the supply chain and are prevented from inserting malicious code into software updates going forward.
“It is not yet clear whether or not adversaries still have access to the 3CX supply chain in order to poison future updates,” wrote John Hammond, senior security researcher at Huntress, in a post Thursday. “Perhaps this may change the tradecraft we see in the coming days.”
CRN has reached out to 3CX for comment.
3CX reports on its website that it has more than 600,000 customers, with sales exclusively through its network of 25,000 partners. Major customers listed by 3CX include American Express, McDonald’s, Coca-Cola, NHS, Toyota, BMW and Honda.
Hammond cited the Shodan server search engine in disclosing that there are more than 242,000 publicly exposed phone management systems from 3CX.
The recommendation from 3CX executives is to uninstall the desktop 3CX client, he noted.
On Wednesday, researchers from CrowdStrike, Sophos and SentinelOne published blog posts detailing their findings on an attack that appears to have compromised the 3CX desktop app, disclosing that they’ve observed malicious activity originating from a trojanized version of the desktop VoIP app from 3CX.
The attack has involved utilizing a code-signing certificate to provide the software’s trojanized binaries with legitimacy, according to researchers.
At present, a “definitive attribution is not yet clear” for the attack, Hammond wrote, but “the current consensus across the security community is that this attack was performed by a DPRK [North Korea] nation-state threat actor.”
The breach “appears to have been a targeted attack from an advanced persistent threat, perhaps even state sponsored, that ran a complex supply chain attack” using the Windows version of the app, 3CX Chief Information Security Officer Pierre Jourdan wrote in a post Thursday.
“We apologize profusely for what occurred and we will do everything in our power to make up for this error,” he wrote.