3CX Supply Chain Attack Routed to Another Supply Chain Attack

Researchers has revealed that the breach of 3CX first reported last month, caused by a software supply chain attack on a third party.

The 3CX breach was first detected by customers during last month, but only came to light a week later when various cybersecurity companies identified it. As part of the attack, the hackers packaged malicious code into the 3CX desktop installer and customers that already had 3CX installed also received an update that contained the malicious code.

Advertisements

Before this attack, they had compromised the supply chain of futures trading platform provider Trading Technologies International. 3CX hired Mandiant to offer forensic analysis and they found that a 3CX employee had downloaded and installed a compromised version of Trading Technologies software that had been tampered with. Once the software had been installed, it gave the hackers access to the 3CX network, allowing them to move laterally through the network until ultimately breaching 3CX’s Windows and macOS software.

The researchers also note that the Trading Technologies X_TRADER software had been installed by the 3CX employee in April 2022, meaning that Lazarus had access to and had been moving laterally through 3CX’s network over a year.

The attack on Trading Technologies and 3CX to linked to threat actor UNC4736, also known as Labyrinth Chollima. Depending on the source, UNC4736 is either an alternative name for or a subgroup of the infamous North Korean hacking group Lazarus.

This is just an example of an extended software supply chain. It’s critical to ask upstream suppliers about how well their supply chain, including build pipeline and development environments, is protected. Their supply chain is a part of your supply chain.