The support team at 3CX, a VoIP/PBX software provider with more than 600,000 customers and 12 million daily users, was aware that their desktop app had been flagged as malware, but after a week decided not to act. A thread on the company’s community forums indicates that Massive Supply’s chain attack has ended.
“Are any other A/V vendors experiencing this issue?” I asked in the title post. The customer was referring to the security company SentinelOne endpoint his malware detection product. This post contained some of the SentinelOne allegations. Trademark for shellcode detection, code injection into other process memory space, and other software exploits.
Has anyone had this issue with other A/V vendors?
post exploit
Intrusion framework or shellcode detected
Avoidance
Indirect command executed
Code injection into other process memory space during target process initialization
\Device\HarddiskVolume4\Users\**username**\AppData\Local\Programs\3CXDesktopApp\3CXDesktopApp.exe
SHA1 e272715737b51c01dc2bed0f0aee2bf6feef25f1The same trigger occurs when I try to re-download the app from the web client ( 3CXDesktopApp-18.12.416.msi ).
Trust by default
Other users quickly reported receiving the same warning from the SentinelOne software. He reportedly received a warning when running 18.0 Update 7 (build 312) of 3CXDesktopApp for Windows. The user quickly determined that the detection was a false positive caused by a glitch in his SentinelOne product. They created exceptions to allow questionable apps to run without interfering. The following day, Friday, and the following Monday and Tuesday, more users reported receiving SentinelOne alerts.
In one of the more visionary contributions, one user on Tuesday wrote: Current security state of supply chain attacks. ”
A few minutes later, a member of the 3CX support team joined the discussion for the first time, recommending the customer to contact SentinelOne as SentinelOne’s software had triggered an alert. Another customer countered, writing:
Hmmm… The more people using both 3CX and SentinelOne, the more I have the same problem. Wouldn’t it be nice if you at 3CX contacted SentinelOne to determine if this was a false positive? can i know how?
A 3CX support representative replied:
That may sound ideal, but there are hundreds, if not thousands, of AV solutions out there that aren’t always accessible every time an event occurs. I’m using the Electron framework for my app, could that functionality be blocked?
As you probably know, we have no control over their software and the decisions it makes, so it’s not our place to comment on that. I think it makes more sense to check why this happened. If you get a reply, feel free to post your findings here.
It will be another 24 hours before the world knows that SentinelOne was right and those suspecting false positives were wrong.
As previously reported, a threat group associated with the North Korean government compromised the 3CX software build system and used its control to push Trojanized versions of the company’s DesktopApp program for Windows and macOS. . The malware beacons infected machines to attacker-controlled servers and deploys a second stage payload to specific targets, depending on unknown criteria. In some cases, attackers performed “keyboarding” on infected machines. In other words, the attacker manually executed the command.
A breakdown of ignored detections by 3CX and its users should serve as a wake-up call for both support teams and end-users who typically first encounter suspicious activity. A representative for 3CX did not respond to messages seeking comment on this article.
