Hackers Behind 3CX Hijacking Attack Began Infecting the App Weeks Ago

pcmag.com:

The unsettling supply chain attack on VoIP provider 3CX came to light on Wednesday, but it looks like the hackers behind the assault have been trying to infect 3CX users for weeks.

The findings come from cybersecurity provider SentinelOne, which offers enterprise-grade antivirus protection for computers. The company’s data now shows(Opens in a new window) the hackers behind the attack began trying to infect users of the 3CX Mac desktop app as early as March 8. 

That means the hackers may have had 21 days to secretly serve up malware to users before 3CX realized that its software had been breached. Approximately 600,000 businesses, including(Opens in a new window) major brands such as Coca-Cola, Holiday Inn, and BMW, use 3CX software.

The supply chain attack involved the hackers hijacking the 3CX desktop app for both Windows and Mac, and triggering it to download malware to select computers. Several antivirus companies then detected a surge of malicious activity occurring through the 3CX desktop app on Wednesday, making it clear the threat was widespread. 

But as it turns out, SentinelOne’s software had started flagging the 3CX app as malicious a week earlier, according(Opens in a new window) to 3CX’s own forum posts. In a thread that started on March 22, a few users reported that SentinelOne’s antivirus system was flagging the 3CX desktop app as a threat. But at the time, it was unclear whether the detection was a false positive or a real risk. 

On Twitter, J. A. Guerrero-Saade, a director at SentinelOne, noted(Opens in a new window) the company had “blocked thousands of attempted infections as of March 22nd.” That naturally caused some, including 3CX’s own CEO, to wonder why SentinelOne hadn’t alerted the public about