When the CEO of the 3CX, a global online communications company, first saw an antivirus alert last week flagging a potential problem in software associated with one of the company’s apps that lets users make calls over the internet, he didn’t give it much attention. Because of the volume of similar warnings, Nick Galea said the company didn’t react immediately.
All that changed Wednesday when researchers at the cybersecurity firm CrowdStrike reported that the problem could have given hackers linked to North Korea a gateway into thousands of companies around the world.
“Because of the way VOIP apps work, it wouldn’t be the first time [we got flagged]. It happens quite frequently — so I have to be honest we didn’t take it that seriously,” Galea told CyberScoop in an interview Thursday. “We did upload it to a site called VirusTotal to check … and none of the anti-virus engines flagged us of having a virus, so we just left it at that.”
It’s not yet clear which customers or how many individuals may be impacted by the attack, but 3CX has millions of customers worldwide with and provides products to giant companies like Toyota, Chevron and Pepsi. Researchers at Crowdstrike tied the attack to the notorious North Korean Lazarus Group hacking syndicate.
At this point, Galea said 3CX isn’t sure just how widespread the attack is but it’s likely that hundreds of thousands have downloaded the infected update. In hindsight, he said the company should have acted sooner to respond to the incident, but said that they didn’t fully understand the severity of the situation until they received more information from Crowdstrike.
“Then we gave it much more, let’s say importance, which we should have done before we fully understand now. It’s just we didn’t understand before the severity of it,” Galea said. “We have a security team, we do our own pentesting, we’ve got software scanners, we got a CSO of course,” he said. “Nonetheless, they outsmarted us.”
He said the 3CX has hired the cybersecurity firm Mandiant to respond to the incident. Mandiant confirmed that they are working with 3CX, but did not have any additional details.
Galea said the company is still learning about the incident themselves and Galea was hesitant to share information that could be inaccurate or change. “It’s pretty serious. We apologize to all of our customers and partners. We’re trying to do the best we can but I do think we’re getting to the bottom of it and I feel confident that with Mandiant we can get through this.”
On Thursday, multiple threat intelligence teams published their own analyses of the malware and what may have happened. Volexity, a cybersecurity services firm based in Virginia, wrote in a blog that its analysis showed that both the Windows and macOS installers for 3CX’s desktop application had malicious code inserted into them before being provided to customers, suggesting that “3CX was itself compromised by the threat actor for a period of time prior to the infection, allowing the attacker to develop an understanding, access, and malicious code for the development-update process of the company.”
Galea said the company didn’t know whether the hackers compromised their own systems but acknowledged it was possible. He said that the hackers injected the malicious code into one of the dependencies in the electron app. Additionally, he said, 3CX scans their code for malicious files before uploading anything but did not find anything.
“Supply chain attacks are relatively rare due to the high level of technical and operational capability required for success,” Volexity’s researchers wrote. “However, organizations with a large customer base, such as 3CX, are attractive targets due to the broad level of access these attacks can grant threat actors.”
Patrick Wardle, the founder of the Objective-See Foundation and expert in macOS malware, took to Twitter to walk through an initial analysis of the macOS installer and published a subsequent blog focused solely on the macOS aspects. The installer was validly signed by the 3CX developer, he noted, but also notarized by Apple, which means that “Apple checked it for malware ‘and none was detected’ … yikes,” Wardle wrote.
Analysis showed the installer would lead a user to the same domain used by the Windows installer, which is no longer functional. The code showed that the macOS malware did expect a second-stage payload, Wardle wrote, but since he didn’t have access to that part of the malware, “what it does is a mystery.”
Galea said that the MacOS version only has a couple of thousands of users, adding that the company removed the malicious code and issued an update in the hopes of preventing further damage. “It’s been a pretty awful day I have to say,” Galea said.