3CX Supply Chain Attack

3CX Supply Chain Attack: what happened?

VOIP company 3CX was recently targeted by a cybercriminal group, which infected its Electron software with malware to steal information from users’ devices in a large supply chain attack.

The breach caused alarm among businesses that relied on 3CX for their communication needs, and raised concerns about the security of supply chains in the tech industry. Read on to find out what happened, and how you can enhance your business’s security against these malicious attacks.

3CX supply chain attack

On Marach 29, 3CX received reports that a digitally verified and breached version of the 3CX Voice Over Internet Protocol (VOIP) Desktop application was utilised to attack the company’s customers. This supply chain vulnerability enabled cybercriminals to execute multi-phase assaults on the software, potentially facilitating actions such as malware deployment against impacted users.

The Australian Cyber Security Centre (ACSC) released alerts warning of an active state-sponsored intrusion campaign targeting 3CXDesktopApp users, but the organisation has not received reports of any Australian companies being targeted.

3CX compromised software

3CX advised Windows Update 7 version numbers 18.12.407 and 18.12.416, along with Electron Mac App version numbers 18.11.1213, 8.12.402, 8.12.407, and 18.12.416 were all compromised in the attack.

The cybercriminal group is believed to be North Korean threat actors Labyrinth Chollima. They installed Trojanized malware called TAXHAUL on the 3CX DesktopApp to infect 3CX customers who utilised the app.

The malicious software maintained its presence on affected systems by employing DLL side-loading through legitimate Microsoft Windows executables, making detection more difficult. In addition, it automatically launched during the start-up process on all compromised devices, providing the culprits with remote control via the internet. The macOS systems impacted in the attack were also infiltrated by a malware called Simplesea, which Mandiant is currently investigating to establish any connections with previously identified malware families.

The most common post-exploitation event observed following the initial attack is the presence of an infostealer targeting the browsers on a compromised system.

3CX response

On March 30, 3CX informed both partners and clients about the security breach and has been continuously updating them as the inquiry progresses. Additionally, the company published a public security incident report on April 1. 3CX strongly advised users to refrain from utilizing the Electron App unless it was absolutely essential, while a new Electron App, complete with a freshly signed certificate, was reconstructed from scratch to substitute the impacted version.

Subsequent to the disclosure, 3CX prolonged the expiration of all paid subscriptions by three months and granted their partners complimentary one-year 4SC PRO subscriptions. To conduct a thorough examination of the event, 3CX enlisted the services of US-based cyber security company Mandiant.

3CX advises that its users uninstall the 3CX Electron Desktop App from all Mac and Windows devices, continue AV scans and EDR solutions in their organisation’s networks for any other potential malware or suspicious activity, and switch to using the PWA Web Client App for the time being.

Defending against supply chain attacks

To defend your business against supply chain attacks, it is essential to adopt a multi-faceted approach that encompasses robust security measures, continuous monitoring, and effective incident response strategies.

Conduct thorough due diligence on all third parties, including suppliers, partners, and service providers. This process should involve assessing the security posture of these entities, their compliance with industry standards, and their ability to detect and remediate potential threats.

Adopting a proactive approach to threat monitoring and incident response will further enhance your defences. By continuously monitoring your network for signs of unusual activity, you can identify potential threats in real-time and take swift action to contain and remediate them.

SIEM solutions

Security Information and Event Management (SIEM} software plays a critical role in defending against supply chain attacks by providing organisations with real-time visibility into their security environment. SIEM solutions collect, analyse, and correlate data from various sources, including network devices, servers, and applications, to identify potential security threats and generate alerts for further investigation.

By deploying a robust SIEM solution, businesses can gain deeper insight into the activities of their supply chain partners, allowing them to detect and respond to potential security incidents more effectively.

Talk to the cyber security experts before you get caught out

Defending your business against supply chain attacks requires a comprehensive approach that encompasses due diligence, robust security controls, proactive monitoring, and effective incident response strategies.

The Microsoft Sentinel SIEM specialists and threat analyst team at Steadfast Solutions can audit your systems, network, and infrastructure to determine the best security solutions for your business. They will deploy and fully manage your environment for maximum protection. Talk to them today to find out more.