Introduction: In a recent interview, we spoke with one of DigeTekS’ Technical team members to understand how he discovered and addressed a phone system vendor compromise. The incident, initially learned from a Reddit post and corroborated by Crowdstrike, raised our concerns for clients who might be utilizing the 3CX Desktop app. This article sheds light on the proactive steps taken to protect our clients and the outcomes of the situation.

Background: On a Wednesday evening after hours, one of our cybersecurity experts, Nate Griffith, came across a Reddit post that highlighted the 3CX compromise. Nate was browsing online information and articles to help him stay up to date on current news and issues in our industry.  Knowing that one of our clients uses 3CX as their phone system, Nate swiftly recognized the potential risks this posed for our clients.  Nate stated that, “because I was browsing Reddit, I was able to get an earlier jump on this quickly. Even waiting just a few days could have led to a completely different situation.”

Protective Measures Implemented: Using our standard incident response approach, Nate was able to immediately jump into action by alerting our cybersecurity focused team and completing the following steps.

  1. Assessment and Reporting: Nate immediately accessed our Remote Monitoring and Management (RMM) system to generate a report on the version of the application being used by the affected client. It was discovered that the client had the vulnerable version installed on multiple devices.
  2. Collaboration with Vendors: To expedite the protection process, Nate contacted our eXtended Detection and Response (XDR) and Ringfencing/Privileged Access Management vendors, who were already aware of the situation. Together, they remediated and implemented necessary safeguards.
  3. Network Protection: The XDR team provided Nate with a list of domain names associated with the compromise. These domains were promptly added to the block list on the client's firewall and DNS filtering software, preventing any malicious communications.
  4. Monitoring and Investigation: Nate and the XDR SOC team closely monitored network activity, paying particular attention to any indicators of compromise. Thorough investigations were conducted to ensure no malicious communication had occurred.
  5. Removal and Cleanup: Utilizing an advanced uninstall utility, Nate systematically removed the affected 3CX Desktop app version from all devices. A subsequent file scan was performed to identify and eliminate any remaining related files.

Negative Effects: The primary consequence of this incident was the temporary loss of access to the phone system for our client. However, they understood the situation and the need for immediate action. To mitigate this inconvenience, we are currently testing a replacement app that remains unaffected by the compromise, and the preliminary results look positive.

The Urgency to Act: Our expert's decision to spring into action was fueled by their unwavering commitment to protect our clients. Although the situation was still unfolding, prompt intervention ensured that our client remained unharmed by the compromise.

Reflecting on the Process: When asked if any changes would be made to the response process, our expert expressed satisfaction with the actions taken. The rapid response and collaboration with vendors and our internal Security Operations Center or SOC team were instrumental in containing the threat effectively.

Resolution: Our expert believes that the resolution achieved in this case represents the best possible outcome. Staying on top of industry trends and news helps our team to remain “driven to protect our clients.” By promptly detecting the issue through Reddit and taking immediate action, our clients were shielded from potential damage. Even a delay of a few days could have led to a significantly different outcome.

Conclusion: Through proactive measures and swift action, we successfully protected our clients from an unknown software compromise. Nate’s efforts highlighted the importance of staying vigilant, leveraging available resources, and maintaining a commitment to cybersecurity standards. As part of your team, you can count on us to continue to prioritize cybersecurity and remain dedicated to ensuring the utmost protection for your environment.