The compromise of 3CX communication software has made history as the first-ever publicly documented incident of a supply-chain attack leading to another. This attack targeted critical infrastructure organizations in the energy sector and organizations in the financial sector, among others.
A supply-chain attack is a type of cyber attack that aims to bypass the security measures of a target by infiltrating their system through a trusted external provider’s software update mechanisms. In the case of 3CX, the attack began with a trojanized version of the unsupported X_TRADER financial software. This trojanized software was then used to compromise 3CX’s software and its customers.
Data from ESET telemetry suggests that there were hundreds of malicious 3CX applications used by clients. Once the trojanized X_TRADER software is installed, it gathers information and steals data, including credentials from various browsers. It also allows the attackers to issue commands on the compromised computer.
During the investigation into the related campaign called Operation DreamJob, ESET researchers found links to the Lazarus group, a North Korea-aligned threat actor. This suggests that the attack on 3CX was carried out by a sophisticated and well-resourced adversary.
The question that arises from this incident is how a company can defend itself when the threat comes from a trusted partner or provider, even when all of its security measures are in place. This highlights the need for companies to have robust security strategies that take into consideration the risks posed by their supply chain.
In this case, the compromise began with the X_TRADER software, which had been decommissioned by Trading Technologies in April 2020. However, the software remained available for download, and the vendor’s website was compromised to offer a malicious download instead. This allowed the Lazarus group to penetrate Trading Technologies and carry out the supply-chain attack.
Although Trading Technologies had communicated to its clients that the X_TRADER software would no longer be supported beyond April 2020, some individuals continued to download and use the compromised software. This highlights the importance of using verified and updated software from legitimate sources. Companies should compare the hash of the software they download with the one provided by the vendor and ensure they are downloading from a legitimate website.
Furthermore, companies should make their employees less vulnerable to attacks. In the case of the 3CX attack, the initial compromise occurred when an employee installed the compromised X_TRADER software on their personal computer. This allowed the attackers to steal the employee’s credentials and gain access to 3CX’s corporate system. To prevent such situations, companies should implement data encryption and multi-factor authentication to protect their systems. Access rights should be tightly managed, and sensitive data should only be shared through secure cloud systems.
A strong password policy is also essential in preventing attacks. Rather than constantly changing passwords and imposing complex requirements, companies should encourage the use of passphrases, which are easier to remember and harder to guess. Passphrases should still contain numbers, special characters, and even emojis to prevent machines from easily guessing them. Passkeys, which use encryption for higher protection, are also worth considering.
Privileged access management (PAM) can also help prevent attackers from compromising valuable corporate accounts. By implementing just-in-time access, monitoring privileged sessions, and enforcing stricter password policies, companies can add extra layers of protection to their critical resources. It is also important to establish strict security requirements for suppliers and partners to prevent supply-chain attacks.
Applying the latest security patches is crucial in preventing threats. In the case of the 3CX attack, the threat actors exploited a vulnerability in Windows that had been fixed by Microsoft in 2013. However, this fix was optional, allowing the attackers to trojanize the 3CX app. Therefore, companies should always ensure they have the latest security patches and updates for their software and operating systems.
Setting high security standards is essential in protecting against cyber attacks. This includes using proper antimalware software, reducing the attack surface through employee training and awareness, having security response plans in place, and regularly backing up files to ensure business continuity in the event of a disruption.
The compromise of 3CX communication software has highlighted the need for companies to be vigilant about securing their supply chain and implementing robust security measures. As the incident has shown, even with all security layers in place, the danger can come from a trusted partner or provider. By following the lessons learned from this incident and taking proactive measures, companies can better protect themselves against supply-chain attacks and other cyber threats.