back to article Do you use comms software from 3CX? What to do next after biz hit in supply chain attack

Two security firms have found what they believe to be a supply chain attack on communications software maker 3CX – and the vendor's boss is advising users to switch to the progressive web app until the 3CX desktop client is updated. 3CX started as a vendor of PBX software, and evolved to offer voice, video, and …

  1. Anonymous Coward
    Anonymous Coward

    Typically arrogant behaviour by this vendor. It seems they knew about it a fair time before they admitted to it, and partners still have not received any push communication beyond what is on their public site. Do they deserve our business?

    1. Anonymous Coward
      Anonymous Coward

      more likely it didn't

      it is more likely that it didn't make it up the food chain until someone with some real importance to the bottom line weighed in

    2. sanmigueelbeer
      WTF?

      Someone asked Nick some (tough) questions (PICTURE) to which Nick replied (PICTURE) and then ban the person from the 3CX forum.

      1. TonyJ

        I would suggest to any customers that if the initial handling weren't enough to make you consider another vendor than knowing you will be sent shitty emails and banned by the CEO should be.

        I don't even agree that they were tough questions. They wanted transparency that's all.

    3. aerogems Silver badge
      Mushroom

      If I were a CTO of a company, I'd be having some underling evaluating other options and taking bids. I'd also make sure 3CX knew what was going on and why.

  2. Anonymous Coward
    Anonymous Coward

    Cover up

    These shitbags are trying to cover this up. They're downplaying it on social media, they haven't informed their customers (many of whom will have been running a trojan for well over a week!) and they ignored it on their forums for a week before basically replying "take it up with your antivirus company" (you really should see this exchange for yourself, go look at their forum, it's really quite something!).

    We use 3CX. We weren't affected by this because we don't use the desktop client. We started looking at alternatives this afternoon!

  3. VoiceOfTruth

    It's OK

    -> unexpected malicious activity emanating from a legitimate, signed binary

    It's legitimate signed malware-infected software.

  4. Furious Reg reader John

    Yet another nail in the coffin of on-prem PBXs.

    1. Ochib

      3CX do off-Prem PBX as well

      "3CX Hosted and StartUP users do not need to update their servers as we will be updating them over the night automatically. Servers will be restarted and the new Electron App MSI/DMG will be installed on the server. We recommend that you DO NOT install or deploy the Electron App. This update is only to ensure that the trojan has been removed from the 3CX Server where Desktop Apps are stored and in case any users decide to deploy the app anyway. During the restart there might be disruption for a few minutes while we restart your server."

    2. TonyJ

      But it isn't the PBX, but the binary app?

    3. Anonymous Coward
      Anonymous Coward

      Misunderstood the assignment

      3CX is only very rarely deployed in on-prem... it's 99% cloud deployed, so you've missed the mark a bit there.

      1. Furious Reg reader John

        Re: Misunderstood the assignment

        Yes, I screwed up.

        Another nail in the coffin of self-hosted PBXs.

        And, yes, I do understand it is the desktop app, but the use of a desktop app goes hand in hand with the mindset of running the PBX yourself.

        1. katrinab Silver badge
          WTF?

          Re: Misunderstood the assignment

          Teams has a desktop app, as does Zoom. Neither of them could in any way be described as self-hosted.

          1. Furious Reg reader John

            Re: Misunderstood the assignment

            You must love patching if you think that using desktop apps for everything is the way to go.

            1. TonyJ

              Re: Misunderstood the assignment

              "...You must love patching if you think that using desktop apps for everything is the way to go..."

              Or, you know, if you read some of the forums, you'd know that some of 3CX's users need and use functionality that is currently only available in the desktop application.

              Easy to criticise without all of the facts.

        2. Anonymous Coward
          Anonymous Coward

          Re: Misunderstood the assignment

          Mate*, stop digging.

          *Furious Reg reader John

        3. Anonymous Coward
          Anonymous Coward

          Re: Misunderstood the assignment

          3CX do completely managed (As in, non self-hosted - As in, in their cloud) PBX's as well (StartUP) so I'm afraid you've missed the mark again. Possibly best not to comment on something you're not particular familiar with.

          (Disclaimer, 3CX Partner - Don't work for 3CX, just fear that someone at 3CX may be reading my posts and Nick Galea will knee-jerk revoke my partner status, ban me from their forums as he has several others in times gone by - AND then e-mail all my customers directly to sell them...)

          1. Furious Reg reader John

            Re: Misunderstood the assignment

            So how is 3CX StartUP evidence that self-hosted PBXs are the future?

          2. Anonymous Coward
            Anonymous Coward

            Re: Misunderstood the assignment

            3cx always cunts, taking an opensource PBX over and killing it, knew they were cunts years ago.

    4. katrinab Silver badge
      WTF?

      Apart from the fact that 3CX is mostly cloud, surely cloud PBXes are slightly more vulerable to this sort of thing than on-prem?

      Only slightly though, in the overall scheme of things, it doesn't make much difference either way.

      1. Reaps

        nope, cloud is always worse, you have no real control. that's why it seems cheap.

  5. IanRS

    Arrogance or ignorance?

    "this type of thing can never happen"

    Saying that is just asking for trouble.

  6. ChipsforBreakfast

    A lesson in how not to handle an incident

    Step 1 - Ignore it and hope it'll go away.

    Step 2- Deny it. Claim it's a false positive.

    Step 3 - Admit it, but don't say anything useful.

    Step 4 - Argue with customers who need actual information and not marketing spin.

    Step 5 - Watch as those same customers plan their migrations.

    We are (or perhaps that should be were) a 3cx reseller & user. Their handling of this incident has been poor to say the least - poor disclosure, poor communication, poor remediation. Ok, this impacted a part of their offering that thankfully few of our clients actually use but that's not the point - if I can't trust their vulnerability handling processes I can't trust their application.

    1. Anonymous Coward
      Anonymous Coward

      Re: A lesson in how not to handle an incident

      you should have taken note when they took over an opensource project and turned it closed, cunts, untrustworthy

  7. MJI Silver badge

    JCB not listed

    I know, I know, but to me 3CX is a very popular digger.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like