reader comments
38 with
The support team for 3CX, the VoIP/PBX software provider with more than 600,000 customers and 12 million daily users, was aware its desktop app was being flagged as malware but decided to take no action for a week when it learned it was on the receiving end of a massive supply chain attack, a thread on the company’s community forum shows.
“Is anyone else seeing this issue with other A/V vendors?” one company customer asked on March 22, in a post titled “Threat alerts from SentinelOne for desktop update initiated from desktop client.” The customer was referring to an endpoint malware detection product from security firm SentinelOne. Included in the post were some of SentinelOne’s suspicions: the detection of shellcode, code injection to other process memory space, and other trademarks of software exploitation.
Is anyone else seeing this issue with other A/V vendors?
Post Exploitation
Penetration framework or shellcode was detected
Evasion
Indirect command was executed
Code injection to other process memory space during the target process’ initialization
DeviceHarddiskVolume4Users**USERNAME**AppDataLocalPrograms3CXDesktopApp3CXDesktopApp.exe
SHA1 e272715737b51c01dc2bed0f0aee2bf6feef25f1I’m also getting the same trigger when attempting to redownload the app from the web client ( 3CXDesktopApp-18.12.416.msi ).
Defaulting to trust
Other users quickly jumped in to report receiving the same warnings from their SentinelOne software. They all reported receiving the warning while running 18.0 Update 7 (Build 312) of the 3CXDesktopApp for Windows. Users soon decided the detection was a false positive triggered by a glitch in the SentinelOne product. They created an exception to allow the suspicious app to run without interference. On Friday, a day later, and again on the following Monday and Tuesday, more users reported receiving the SentinelOne warning.
In one of the more prescient contributions, one user on Tuesday wrote: “We have implemented the same ‘fixes’ as described here, but a response from 3CX and/or SentinelOne would be really helpful as I do not like defaulting to trust in the current security landscape of supply chain attacks.”
reported earlier, a threat group tied to the North Korean government compromised the 3CX software build system and used the control to push Trojanized versions of the company’s DesktopApp programs for Windows and macOS. The malware causes infected machines to beacon to actor-controlled servers and, depending on unknown criteria, the deployment of second-stage payloads to specific targets. In a few cases, the attackers carried out “hands-on-keyboard activity” on infected machines, meaning the attackers manually ran commands on them.
The breakdown involving the disregarded detection by 3CX and its users should serve as a cautionary tale to both support teams and end users, since they’re usually the first to encounter suspicious activity. 3CX representatives didn’t respond to a message seeking comment for this story.