Supply Chain Attack on 3CX: Insights from Mandiant and 3CX's Response Plan

April 25, 2023 by
Supply Chain Attack on 3CX: Insights from Mandiant and 3CX's Response Plan
Griffin Ball

In March 2023, cybersecurity firm Mandiant responded to a supply chain attack on 3CX Desktop App software, identifying the initial compromise vector as malicious software downloaded from the "Trading Technologies" website. The affected software was the 3CX Desktop App 18.12.416 and earlier, which contained malicious code that ran a downloader called SUDDENICON. This downloader received additional command and control (C2) servers from encrypted icon files hosted on GitHub. The decrypted C2 server was then used to download a third-stage malware identified as ICONICSTEALER, a data miner that steals browser information.

Mandiant believes that the threat actor responsible for the attack is UNC4736, a suspected North Korean nexus cluster of activity. The attacker compromised an employee's personal computer through the Trading Technologies X_TRADER software that was downloaded, which contained the malware that enabled the attacker to gain administrator-level access and persistence on the employee's computer. From there, the threat actor stole the employee's 3CX corporate credentials.

Following the attack, 3CX announced a seven-step security action plan called 'EFTA' to strengthen its systems and reduce the risk of future attacks. The plan includes the following:

  • Hardening multiple layers of network security.
  • Revamping build security.
  • Ongoing product security review with Mandiant.
  • Enhancing product security features.
  • Ongoing penetration testing.
  • Refining the crisis management and alert handling plan.
  • Establishing a new department for network operations and security.

The company is committed to making 3CX the most secure communications solution in the market. And we will be watching closely.

Mandiant has also provided additional technical details and indicators of compromise to help organizations strengthen their network defenses against similar attacks. The incident highlights the importance of supply chain security and the need for companies to take proactive measures to prevent and detect such attacks. With the growing sophistication of threat actors and the increasing dependence on technology, companies must prioritize cybersecurity and stay vigilant to protect their systems and data.

To summarize, the recent supply chain attack on 3CX was initiated through an employee's personal computer that was compromised with malware. This allowed the threat actor to steal the employee's corporate credentials and gain administrator-level access to the company's network. The attack reinforces the importance of implementing strong network security measures and regularly reviewing them with a cybersecurity firm. It also illustrates the risks associated with the bring-your-own-device (BYOD) policy, where employees can use personal devices for work. A BYOD policy can create a huge security risk as personal devices usually do not have the same level of security as company devices, and employees may unknowingly download malware onto the company's network. Therefore, it is crucial for businesses to have a clear and comprehensive BYOD policy in place and to enforce strict security measures to ensure the safety of their network and sensitive data.