The support team for 3CX, the VoIP/PBX software provider with more than 600,000 customers and 12 million daily users, was aware its desktop app was being flagged as malware, but decided to take no action for a week when it learned it was on the receiving end of a massive supply chain attack, a thread on the company’s community forum shows.
“Is anyone else seeing this issue with other A/V vendors?” one company customer asked on March 22, in a post titled “Threat alerts from SentinelOne for desktop update initiated from desktop client.” The customer was referring to an endpoint malware detection product from security firm SentinelOne. Included in the post were some of SentinelOne’s suspicions: the detection of shellcode, code injection to other process memory space, and other trademarks of software exploitation.
Is anyone else seeing this issue with other A/V vendors?
Penetration framework or shellcode was detected
Indirect command was executed
Code injection to other process memory space during the target process’ initialization
I’m also getting the same trigger when attempting to redownload the app from the web client ( 3CXDesktopApp-18.12.416.msi ).
Defaulting to trust
Other users quickly jumped in to report receiving the same warnings from their SentinelOne software. They all reported receiving the warning while running 18.0 Update 7 (Build 312) of the 3CXDesktopApp for Windows. Users soon decided the detection was a false positive triggered by a glitch in the SentinelOne product. They created an exception to allow the suspicious app to run without interference. On Friday, a day later, and again on the following Monday and Tuesday, more users reported receiving the SentinelOne warning.
In one of the more prescient contributions, one user on Tuesday wrote: “We have implemented the same ‘fixes’ as described here, but a response from 3CX and/or SentinelOne would be really helpful as I do not like defaulting to trust in the current security landscape of supply chain attacks.”
A few minutes later, a member of the 3CX support team joined in the discussion for the first time, recommending that customers contact SentinelOne since it was that company’s software triggering the warning. Another customer pushed back in response, writing:
Hmmm… the more people using both 3CX and SentinelOne get the same problem. Wouldn’t it be nice if you from 3CX would contact SentinelOne and figure out if this is a false positive or not? – From provider to provider – so at the end, you and the community would know if it is still save and sound?
The 3CX support rep replied:
While that would sound ideal, there’s hundreds if not thousands of AV solutions out there and we can’t always reach out to them whenever an event occurs. We use the Electron framework for our app, perhaps they are blocking some if its functionality?
As you probably understand, we have no control over their software and the decisions it makes so it’s not exactly our place to comment on it. I think in this case at least, it makes more sense if the SentinelOne customers contact their security software provider and see why this happens. Feel free to post your findings here if you get a reply.
It would be another 24 hours before the world learned that SentinelOne was right and the people suspecting a false positive were wrong.
As reported earlier, a threat group tied to the North Korean government compromised the 3CX software build system and used the control to push Trojanized versions of the company’s DesktopApp programs for Windows and macOS. The malware causes infected machines to beacon to actor-controlled servers and, depending on unknown criteria, the deployment of second-stage payloads to specific targets. In a few cases, the attackers carried out “hands-on-keyboard activity” on infected machines, meaning the attackers manually ran commands on them.
The breakdown involving the disregarded detection by 3CX and its users should serve as a cautionary tale to both support teams and end users, since they’re usually the first to encounter suspicious activity. 3CX representatives didn’t respond to a message seeking comment for this story.