3CX EFTA Security Charter in Response to a Recent Software-in-Software Supply Chain Attack
In response to a recent cascading software-in-software supply chain attack, 3CX has introduced a robust security action plan, “EFTA”. This strategic plan is designed to effectively address the security breach and minimize the risk of future attacks. By implementing a series of targeted measures across various aspects of their infrastructure, 3CX is taking proactive steps to enhance network security, strengthen build security, conduct thorough product security reviews, and improve overall security features. Additionally, measures such as regular penetration testing, refined crisis management and alert handling protocols, and the establishment of a dedicated department for network operations and security highlight 3CX’s commitment to ensuring the utmost security for their systems and customers.

The 7 Step Security Charter by 3CX

With a comprehensive plan in place, aptly named the ‘EFTA’ Security Charter (which means 7 in Greek), 3CX has outlined 7 key priorities for strengthening security measures. EFTA action plan includes:
  1. Hardening Multiple Layers of Network Security
  2. Revamping Build Security
  3. Ongoing Product Security Review with Mandiant
  4. Enhancing Product Security Features
  5. Performing Ongoing Penetration Testing
  6. Refining the Crisis Management and Alert Handling Plan
  7. Establishing a New Department for Network Operations and Security

Hardening Multiple Layers of Network Security

First and foremost, 3CX is rebuilding the network infrastructure, starting with a dedicated build environment that is hardened and isolated. In addition, they have implemented new Endpoint Detection and Response (EDR) monitoring tools to enhance threat detection capabilities. To ensure round-the-clock monitoring, 3CX has employed offsite staff who specialize in threat hunting. They have also implemented stricter access control policies across all levels, adopting a Zero Trust model. Recognizing the importance of expert guidance, 3CX is working closely with Mandiant to implement the Remediation Plan Recommendations. Through these proactive measures, 3CX is committed to bolstering the security of their network infrastructure.

Revamping Build Security

To ensure the integrity of software available on their downloads server, 3CX has undertaken significant enhancements in their build security. These enhancements include increased static and dynamic code analysis, with their code scanned for code quality issues and vulnerabilities before each commit. This thorough analysis covers the entire Phone System project, including the Web Client. Furthermore, 3CX is evaluating potential code signing and monitoring solutions to prevent unauthorized modifications to their software. By implementing these measures through EFTA, 3CX is prioritizing the delivery of secure and trustworthy software to their users.

Ongoing Product Security Review with Mandiant

In light of the network compromise, 3CX has undertaken a comprehensive product security review in collaboration with Mandiant. This incident prompted thorough scrutiny of every aspect of their product. By working closely with Mandiant, 3CX aims to identify and address vulnerabilities across their range of products, including the Web Client, Electron app, internal API, and communication libraries. As a result of the ongoing EFTA review, several potential vulnerabilities have already been identified and promptly fixed. Through this diligent process, 3CX is actively ensuring the security and resilience of their products for their customers.

Enhancing Product Security Features

As part of their commitment to enhancing product security, 3CX has taken significant steps to improve the security features of their offerings. Recently, they released Update 7A, following a comprehensive security check and review. This update includes several noteworthy enhancements, such as making Progressive Web App (PWA) the preferred option for more customers. Additionally, it adds a Busy Lamp Field (BLF) panel to the PWA app dialer and provides support for the Tel Protocol (Update 8). Password hashing has been implemented, and the password has been removed from the welcome email to enhance security. Furthermore, 3CX has introduced the ability to lock down the Web Client by IP, ensuring heightened security for system administrators and users. These measures address a number of vulnerabilities, underscoring 3CX’s commitment to safeguarding their users’ communications. In their near-term product roadmap, 3CX has included the development of a version of their native Windows app that can be installed from the Microsoft Store. This deployment method not only adds an additional layer of security but also ensures automatic updates and the ability to quarantine if necessary. Looking ahead, 3CX is planning further security updates, such as implementing Two-Factor Authentication (2FA) for non Single Sign On (SSO) installations. More details, along with the comprehensive roadmap, will be released soon, demonstrating 3CX’s ongoing dedication to enhancing the security of their products and providing a robust communication solution for their customers.

Performing Ongoing Penetration Testing

To ensure continuous evaluation of their security measures, 3CX has taken the proactive step of partnering with an established penetration testing company. Through this agreement, ongoing penetration testing will be conducted on multiple fronts, including their network, online web applications (including the website and customer portal), and their product itself. This comprehensive approach to penetration testing enables 3CX to identify and address any potential vulnerabilities or weaknesses, providing valuable insights to further enhance their security posture. By regularly subjecting their systems to rigorous testing, 3CX demonstrates their commitment to maintaining the highest level of security for their network, applications, and product, thus ensuring the safety and trust of their users.

Refining our Crisis Management and Alert Handling Plan

Throughout the unfolding of the incident, 3CX remained committed to providing ongoing updates and maintaining transparency to ensure their customers and the security community were well-informed. The realization that a nation-state actor was likely involved in the attack can be a deeply unsettling experience that tests the resilience of any organization. To enhance their communication efforts, 3CX bolstered their information sharing across various social media platforms, resulting in increased community engagement. This included fostering two-way communications through blogs and dedicated forum. Moving forward, 3CX recognizes the importance of formalizing a crisis management and alert handling plan. By doing so, they aim to build upon the lessons learned from the incident, ensuring a more structured and effective approach to managing future crises. This proactive step demonstrates 3CX’s commitment to continuous improvement and their dedication to maintaining open and transparent communication channels in the face of potential challenges.

Establishing a New Department for Network Operations and Security

To underscore the significance of both security and network operations, 3CX has established a dedicated department known as ‘Network Operations & Security’. This department will be led by Agathocles Prodromou, a seasoned professional with nearly 20 years of experience in the IT and Security domain. As the Chief Network Officer (CNO), Agathocles will directly report to the CEO, ensuring a direct and open line of communication. This structure enables continuous review and improvement of operating practices and the security program. With a substantial security budget and the authority to act swiftly and effectively, Agathocles will possess the necessary resources and empowerment to safeguard both the company and its product. This strategic move demonstrates 3CX’s commitment to prioritizing the vital aspects of network operations and security in their organizational structure. With the implementation of the EFTA Security Charter, 3CX is embarking on an exciting new phase of renewal and regeneration. They are committed to transforming their communications solution into the most secure option available in the market. As they take action to fulfill their promises, 3CX invites their customers and stakeholders to stay with them on this journey. The company is dedicated to translating their words into tangible outcomes, ensuring that the security of their communications platform remains a top priority. By striving to deliver the highest level of security, 3CX aims to provide their customers with peace of mind and a reliable communication experience through EFTA security charter.