Home 3CX supply chain attack: Top 5 things to know

3CX supply chain attack: Top 5 things to know

March 31 — A supply chain attack affecting the company known as 3CX is of a comparable magnitude to that of the SolarWinds and Kaseya supply chain attacks. 3CX reports a client list that includes more than 600,000 different organizations. SolarWinds had merely half that number of customers when the company experienced a supply chain attack and the fallout was prodigeous.

3CX supply chain attack 2023

In terms of the massive attack on 3CX, here are the top 5 things to know right now:

  1. Timeline and techniques. Cyber security researchers have suggested that the initial compromise of the 3CX Windows app may have started on March 8th of this year, despite more recent discovery. By comparison, the SolarWinds attack is believed to have proceeded, unnoticed, for nine months after the agressors initially infiltrated systems.The 3CX attack operates in multiple stages. In the first stage of the attack, there is a malicious implant inside of two dynamic link library (DLL) files. The second-stage payload deployed by the attackers is still being explored, although its objective was to provide the threat actor with information about systems.
  2. Affected software. According to 3CX executives, the compromised software was identified in Update 7. The version numbers are 18.12.407 and 18.12.416 of the Windows desktop app. The affected versions of the macOS app are 18.11.1213, 18.12.402, 18.12.407 and 18.12.416.The fact that the Windows and macOS versions of the 3CX app were impacted is considered significant. It indicates that the threat actor had planned out the attack and thought through capabilities, which is not-so-common, according to experts.
  3. Compromised code. Attackers leveraged a somewhat sophisticated attack methodology to insert the malicious code into the DLL files that the 3CX desktop app requires. The technique, known as DLL sideloading, has been around for more than a decade. It’s analogous to a home contractor who managed to discreetly gain permanent access to cameras within the home in order to snoop around. The threat actors involved in this attack were particularly stealthy in that they took precautions to ensure that the 3CX software would still function, despite compromise.
  4. 3CX customer next-steps. 3CX executives encourage customers to uninstall the desktop 3CX client. Effectively, the first step is to remove the malicious code from your system.However, that’s not necessarily enough. Because the threat actors have potentially had access to client systems for extended (if unknown) durrations of time, additional security protocols are also encouraged.For high-level supply chain targets, the attackers may have implemented a means of gaining continuous access to the network, even if their initial point of entry is cut-off.
  5. How attackers gained access. Thus far, while 3CX executives have acknowledged the attack and promised to release a new version of the app, the company had been mum on the subject of how the attackers broke in. However, there are two likely scenarios. In one scenario, attackers may have compromised the download server and substituted their malicious version of the software for the legitimate version. In the other scenario, attackers may have taken a page out of the SolarWinds story. In so doing, they may have compromised part of the development environment or a development process.

Further information

Curious about the technical side of the attack? Please see CyberTalk.org’s in-depth coverage here. Want to stay up-to-date with trends in technology? Check out the CyberTalk.org newsletter! Sign up today to receive top-notch news articles, best practices and expert analyses; delivered straight to your inbox.