Securing for the Future of 3CX after first-of-a-kind, cascading software-in-software supply chain attack

We’re committing to actionable steps - 7 to be exact - to harden our systems and minimize our risk of future attacks. Some steps are already completed, some still in process. To this end, we’re currently drafting a Security Charter - called ‘EFTA’. It means 7 in Greek. Here’s what we’re prioritizing in the EFTA Security Charter.

1. Hardening Multiple Layers of Network Security

We’ve devised a strategic plan to reinforce the security of our network including:

  • Rebuilding the network starting with a dedicated build environment that’s hardened and isolated
  • Implementing new EDR monitoring tools
  • Employing offsite 24/7 monitoring - staffed by threat hunting specialists
  • Stricter access control policies at all levels on a Zero Trust model
  • Working closely with Mandiant to implement Remediation Plan Recommendations

2. Revamping Build Security

We’ve enhanced procedures and are employing additional tools to ensure the integrity of software made available on our downloads server. This includes:

  • Increased static and dynamic code analysis - our code is scanned before each commit, looking for code quality issues and vulnerabilities across the entire Phone System project - including the Web Client.
  • Code signing and monitoring solutions - We’re evaluating possible code signing and monitoring solutions to ensure that our software is not modified.

3. Ongoing Product Security Review with Mandiant

This compromise to our network caused us to scrutinize every aspect of our product. To this end, we're working closely with Mandiant to complete the ongoing product security review to help identify vulnerabilities across 3CX products. This includes the Web Client, Electron app, as well as our internal API and communication libraries. We’ve fixed several potential vulnerabilities identified as part of this process.

4. Enhancing Product Security Features

We’ve committed to improving and enhancing our product security features. As a first step, we’re releasing Update 7A next week, following a security check and review, which includes:

  • PWA as a preferred option for more customers:
    • Adds BLF panel to PWA app dialer
    • Support for Tel Protocol (Update 8)
    • See our detailed comparison here
  • Password hashing
  • Removal of password from welcome email
  • Lock down of Web Client by IP - for system admin or all users
  • A number of vulnerabilities will be addressed

We have updated our near-term product roadmap to include a version of our native windows app that can be installed from the Microsoft Store. This automatically adds a level of security as well as automatic updates and quarantine if necessary. We’re also planning additional security updates such as 2MFA for non SSO installs. More details along with the roadmap to be released soon.

5. Performing Ongoing Penetration Testing

We are entering into an agreement with an established pen testing company to perform ongoing pen testing of our network, our online web applications including website and customer portal, as well as our product.

6. Refining our Crisis Management and Alert Handling Plan

As this incident unfolded, we provided ongoing updates and operated with transparency to help inform our customers and the security community. It can be a daunting feeling that shakes an organization to its core, when you realize a nation-state actor is the likely adversary.

We strengthened our information sharing over social media, which increased our community engagement. This included two-way communications over our blogs and dedicated forum as well as an increase in 3CX’s followers on Twitter and LinkedIn. We feel our commitment to transparency has been appreciated by those we value the most.

Going forward, we’ll formalize a crisis management and alert handling plan to build upon the lessons learned through this incident.

7. Establishing a New Department for Network Operations and Security

To emphasize the importance of both security and network operations we’ve created a dedicated department focused on network operations and security. This new department ‘Network Operations & Security’ will be headed up by Agathocles Prodromou who brings almost 20 years experience in IT and Security domain. As Chief Network Officer (CNO), Agathocles will report directly to the CEO to ensure a direct and open line of communication as we continuously review and improve our operating practices and security program. With a significant security budget and the authority to act fast and effectively, Agathocles will be equipped and empowered to secure both the company and our product.

3,2,1 Action!

This is the plan. We look forward to this next chapter of renewal and regeneration as we implement the EFTA Security Charter. Stay with us while we action our words and turn 3CX into the most secure communications solution available in the market.