3CX has launched a major effort to harden its network security as part of a seven-point plan following a report from Mandiant that revealed a historic supply chain attack linked to suspected North Korea-based threat actors.
3CX was hit by a supply chain attack after an employee downloaded compromised software from Trading Technologies, a financial software company that had previously been the target of a malicious cyber intrusion, Mandiant found in its investigation released Thursday. 3CX hired Mandiant as part of its incident response effort.
“While Mandiant’s investigation is ongoing, we now have a clear overall understanding of the attack,” Agathocies Prodromou, chief network officer at 3CX, said in a blog post.
The Cybersecurity and Infrastructure Security Agency also released a malware analysis report on IconicStealer, an information stealer used in the 3CX attack. Officials praised the efforts to mitigate the attack, noting that a more catastrophic outcome was likely prevented.
“CISA continues to work with government and private sector partners to understand impacts from this intrusion campaign,” an agency spokesperson said via email. “In many cases, outstanding work by the cybersecurity community avoided significant harm for many potential victims.”
3CX CEO Nick Galea said the company is drafting what it calls the EFTA Security Charter, with seven steps designed to harden the company network and enhance procedures. The changes include efforts to:
- Create a dedicated build environment that is hardened and isolated. This effort includes plans to employ 24/7 offsite monitoring, implement EDR monitoring tools and enable stricter access policies based on a zero trust model.
- Revamp build security with increased static and dynamic code analysis and evaluate possible code signing and monitoring solutions.
- Conduct an ongoing product security review with Mandiant to identify vulnerabilities. This includes the web client, Electron app and internal API and communication libraries.
- Release update 7A next week, which will include the progressive web application as the preferred option. The company is also adding hashed passwords and removing passwords from the welcome email.
- Hiring a firm to conduct ongoing penetration testing of the network, online applications and product.
- Formalize a crisis management and alert handling plan.
- Create a dedicated network operations and security department led by Prodromou, who will report directly to the CEO.