This article is more than 1 year old

3CX thought supply chain attack was a false positive

'It's not unusual for VoIP apps' says CEO

Updated The CEO of VoIP software provider 3CX said his team tested its products in response to alerts of suspicious activity that was later found to be a supply chain attack, and assessed reports of issues with the software as a false positive.

We noted earlier that 3CX confirmed its software had been tampered with a week after users mentioned on the vendor's forums that antivirus had flagged the desktop apps as displaying suspicious activity. That unwanted activity was due to those folks using a 3CX desktop app that had been secretly stuffed with malicious code by an intruder in a classic supply chain attack.

CEO Nick Galea followed up with The Register by email that 3CX did not ignore alerts, generated by infosec house SentinelOne, but rather "chose to double check our desktop app on VirusTotal and since it gave our app the all clear we considered the SentinelOne alert a false positive. It's not unusual for VoIP apps. We checked again a few days later and got the same result."

"We could only realize the extent of the breach after Crowdstrike gave us full details and then we immediately responded to the best of our abilities which by no means was Olympic medal standard," added Galea, who conceded that responding to a supply chain attack is, well, rather hard.

SentinelOne detected unusual activity on March 22. Crowdstrike saw similar on March 29, and the same day Galea took to the company's forums to address the issue. In between, many had wondered if 3CX – which boasts 12 million daily users and whose clients include Mercedes Benz, McDonald's, BMW, Holiday Inn, the NHS, American Express, Coca-Cola and Air France – was going to issue a statement about the indicators of compromise to its products.

At the time, 3CX advised its customers to use its progressive web app (PWA) and ditch its desktop app – a hard ask for some as the former does not support hotkeys or replicate the busy lamp (BLF) used to indicate calls in progress on physical phone handsets. The firm said it was working to add those features to its web app.

"The PWA app is completely web based and does 95 percent of what the electron app does," read a March 30 blog post.

In 3CX's latest update, posted April 1, Galea skated over the response to SentinelOne's reports, claiming 3CX took swift and appropriate action.

"On March 29, 3CX received reports from a third party of a malicious actor exploiting a vulnerability in our product. We took immediate steps to investigate the incident, retaining Mandiant, leading global cybersecurity experts," argued the CEO.

Although Crowdstrike has already identified North Korea's Lazarus-linked Labyrinth Chollima group as the most likely culprit, Galea declined to identify any leads and only stated that "the incident was carried out by a highly experienced and knowledgeable hacker."

3CX said it is automatically extending customer subscriptions by three months free of charge.

The incident is the most prominent supply chain attack since 2020's attack on SolarWinds software, also known as Sunburst, and 2021's Kaseya attack. ®

Updated on April 10

The story was revised after 3CX got in touch with us again. The biz told us that prior to March 29 it and its users were aware of third-party vendors' reports of anomalous network behavior. However, no suspicious activity on customer networks was at the time actually detected, 3CX claims.

More about


Send us news

Other stories you might like