Cyber Incident Victim: 3CX

The 3CX supply chain attack was first publicly disclosed on March 29, 2023, after the company acknowledged its Electron-based desktop client application, 3CXDesktopApp, had been compromised to distribute malware. This acknowledgment came one day after initial reports of the malicious activity surfaced within the cybersecurity community. The incident involved a sophisticated multi-stage intrusion that ultimately stemmed from a prior supply chain compromise. An investigation conducted by cybersecurity firm Mandiant determined that the initial breach of 3CX's systems was caused by another supply chain attack. Suspected North Korean attackers, tracked as UNC4736, had previously compromised the website of stock trading automation company Trading Technologies. This earlier breach was used to push trojanized software builds of Trading Technologies' X_TRADER software.

The attack chain began when a 3CX employee downloaded and installed the malicious installer for the X_TRADER software onto a personal computer. This installer deployed a multi-stage modular backdoor identified as VEILEDSIGNAL. This backdoor was designed to execute shellcode and inject a communication module into the processes of web browsers, including Chrome, Firefox, or Edge, before terminating itself to avoid detection. The threat actors used this initial access to steal corporate credentials from the employee's compromised device. These stolen credentials were then used to move laterally through the internal network of 3CX, allowing the attackers to gain access to the company's critical build environments.

The attackers successfully breached both the Windows and macOS build environments at 3CX. On the Windows build system, the threat group deployed a launcher known as TAXHAUL and a downloader called COLDCAT. This malware achieved persistence by performing DLL hijacking for the legitimate Microsoft Windows IKEEXT service, which allowed it to run with highly privileged LocalSystem rights. The use of DLL side-loading via legitimate Microsoft Windows binaries made the malicious activity more difficult to detect. On the compromised macOS build server, the attackers installed a backdoor tracked as POOLRAT. This macOS malware utilized LaunchDaemons as its persistence mechanism, ensuring it would automatically load during system startup. The deployment of this malware granted the attackers remote access over the internet to all devices compromised by the trojanized 3CXDesktopApp.

Mandiant assessed with moderate confidence that the threat group UNC4736 is related to the financially motivated North Korean Lazarus Group, which is known for its Operation AppleJeus campaigns. This link was based on several factors, including the use of the same trojanized X_TRADER application distributed via the same compromised Trading Technologies website that had been previously highlighted in a March 2022 report by Google's Threat Analysis Group. Further connections were made through similarities in tactics, techniques, and procedures (TTPs) and overlaps in command-and-control infrastructure. Mandiant also linked UNC4736 to two clusters of activity associated with a group tracked as APT43, specifically UNC3782 and UNC4469, based on this infrastructure overlap.

Following the disclosure of the attack, 3CX advised its customer base to take immediate action. The company recommended that all users uninstall the compromised Electron desktop client from every Windows and macOS device within their organizations. To facilitate this mass removal, 3CX provided an automated uninstall script for its customers to use. As an alternative, customers were instructed to immediately switch to using the company's progressive web application (PWA) Web Client App, which was stated to provide similar functionality and was not affected by the compromise. The company took more than a week to formally react to initial customer reports that its software had been flagged as malicious by multiple cybersecurity vendors, including CrowdStrike, ESET, Palo Alto Networks, SentinelOne, and SonicWall.

The impact of this incident was significant due to the extensive reach of the 3CX software. According to the company's official website, the 3CX Phone System boasts over 12 million daily users and is utilized by more than 600,000 businesses across the globe. Its customer base includes numerous high-profile organizations and well-known companies such as American Express, Coca-Cola, McDonald's, Air France, IKEA, the UK's National Health Service, and multiple automobile manufacturers. The broad deployment of the software meant that the supply chain attack had the potential to affect a vast number of endpoints worldwide. In response to the disclosure, a team of independent security researchers created a web-based tool to assist 3CX customers in determining whether their IP address had been potentially impacted by the March 2023 supply chain attack.

An initial statement from 3CX CEO Nick Galea suggested that a compromised ffmpeg binary used by the 3CX desktop client may have served as the initial intrusion vector. However, the FFmpeg project denied these allegations, clarifying that it only provides source code to developers and that its code had not been compromised. The Mandiant investigation later revealed the true origin was the breach via the Trading Technologies software. Mandiant characterized this incident as the first known software supply chain compromise that successfully led to a subsequent, additional software supply chain compromise. This demonstrated the potential extensive reach of such attacks, particularly when a threat actor can effectively chain intrusions together to compromise a second, unrelated vendor. The investigation highlighted the risk to organizations that may be unknowingly compromised through such intricate attack chains.