The 3CX Software Supply Chain Compromise: A Cautionary Tale

New Zealand Computing Solutions
2 min readApr 24, 2023

The 3CX Desktop App, an enterprise software providing communications like chat, video calls, and voice calls, was recently involved in a software supply chain compromise. In March 2023, malware spread through a trojanized version of 3CX’s legitimate software (3CX DesktopApp 18.12.416 and earlier), allowing threat actors to steal browser information. Mandiant identified the activity as UNC4736, a suspected North Korean nexus cluster of activity. This incident sheds light on the importance of robust cybersecurity measures.

Key Learnings:

Avoid using personal devices for work

Personal devices typically lack the same security features as corporate devices, which makes them more vulnerable to attacks. Using personal devices for work-related tasks may inadvertently expose your organization to risks associated with malware infections or unauthorized access.

Be aware of supply chain attacks

They are becoming increasingly common and can compromise the software running in your organization. As such, it’s critical to know the software operating within your organization and keep it updated to minimize potential vulnerabilities.

The 3CX supply chain compromise began with a tampered installer for X_TRADER software. It led to the deployment of a multi-stage modular backdoor called VEILEDSIGNAL. The malicious software was signed with a digital certificate set to expire in October 2022. Despite the X_TRADER platform being discontinued in 2020, it was still available for download from the legitimate Trading Technologies website in 2022.

Compromised X_TRADER and 3CX DesktopApp applications used the same techniques to extract and run the payload, demonstrating the increasing sophistication of supply chain attacks.

During the attack, the threat actor moved laterally within the 3CX organization using a compiled version of the publicly available Fast Reverse Proxy project. Eventually, the attacker compromised Windows and macOS build environments, deploying TAXHAUL launcher and COLDCAT downloader on Windows, and POOLRAT backdoor on macOS.

Conclusion

The 3CX supply chain compromise is a stark reminder of the growing threat of supply chain attacks and the importance of comprehensive cybersecurity measures. Organizations must stay vigilant, continuously update their software, and implement best practices to mitigate the risks of increasingly sophisticated cyber threats.

--

--

New Zealand Computing Solutions

Expert Small to Medium Business Computer Consulting, IT Outsourcing, Software Development and Managed IT Services. https://nzcs.co.nz/