Supply Chain Attackscritical

3CX Supply Chain: Attack Inside an Attack — Trading Technologies Compromised First

3CX's Windows desktop app distributed malware to 600,000 business customers. Forensic investigation revealed 3CX was itself a victim of a prior supply chain attack — a compromised Trading Technologies installer had infected the 3CX developer's machine.

3CX / Trading Technologies / Lazarus·2023·2 min read

Attack Chain

  1. 1
    Fake LinkedIn persona built
  2. 2
    Trust established over months
  3. 3
    Malicious file shared
  4. 4
    OPSEC software backdoored
  5. 5
    Signed installer distributed
  6. 6
    Customer networks compromised

Background

3CX is a popular VoIP software company with 600,000 business customers. In March 2023, security researchers noticed 3CX's signed desktop application was delivering malware. The investigation revealed an unprecedented second-order supply chain attack.

The Attack

A 3CX software developer had installed a version of Trading Technologies' X_TRADER financial software from Trading Technologies' own website. That installer had been trojanised months earlier by Lazarus Group. The compromised installer planted a backdoor on the developer's machine. Lazarus Group used that access to compromise 3CX's build environment, modifying 3CX's Windows application to include malicious DLL files signed with 3CX's legitimate certificate. The trojanised 3CX app was then distributed to 600,000 businesses. Lazarus Group used it to target cryptocurrency companies.

Response

Crowdstrike and Mandiant identified the malicious DLLs on March 29, 2023. 3CX pushed an emergency update and asked customers to uninstall the desktop app. Mandiant attributed the first-stage attack (Trading Technologies) to Lazarus Group in an April 2023 report — the first confirmed case of one supply chain attack enabling another.

Outcome

This was the first documented supply chain attack that was itself the product of a prior supply chain attack — a "supply chain attack squared." Lazarus Group's methodology of compromising a small trusted developer (Trading Technologies) to reach a larger target (3CX) to ultimately reach 600,000 businesses demonstrated sophisticated escalation strategy.

Key Takeaways

  1. Supply chain attacks can be chained — a compromised dependency of a dependency can reach your production systems
  2. Developer workstations that have access to build systems must be protected with the same standards as build servers
  3. Verify software integrity of all installed development tools — not just production dependencies
  4. The Lazarus Group's patience in chaining two supply chain attacks illustrates nation-state long-term planning
3CXLazarus Groupchained supply chainVoIPbuild environment

More in Supply Chain Attacks

2020critical

SolarWinds Supply Chain Attack

2 min readSupply Chain Attacks
2017critical

CCleaner Backdoor: 2.27 Million Downloads Infected via Legitimate Software Update

2 min readSupply Chain Attacks
2018high

EventStream npm: Malicious Code Buried in Dependency Targets Bitcoin Wallet

2 min readSupply Chain Attacks