{"id":393,"date":"2023-04-21T09:28:00","date_gmt":"2023-04-21T08:28:00","guid":{"rendered":"https:\/\/3bdatasecurity.com\/3bds-blog\/?p=393"},"modified":"2024-11-06T15:11:06","modified_gmt":"2024-11-06T15:11:06","slug":"3cx-breached-by-double-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/3bdatasecurity.com\/3bds-blog\/3cx-breached-by-double-supply-chain-attack\/","title":{"rendered":"3CX Breach Caused by Double Supply Chain Attack"},"content":{"rendered":"\n<p>Last month, multiple cyber security companies reported malicious activity of a trojanised version of the&nbsp;3CX Desktop App that clients were using to make VoIP calls. The desktop applications for both&nbsp;Windows&nbsp;and&nbsp;macOS&nbsp;were compromised with malicious code that enabled the attackers to download and run code on all machines where the app was installed.&nbsp;<\/p>\n\n\n\n<p>It\u2019s now been reported that the compromise actually began in 2022, when a 3CX employee installed a malware-laced software package distributed via an earlier software supply chain compromise. This software was a tampered installer for&nbsp;X_TRADER, a software package provided by&nbsp;Trading Technologies.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>New Report Details<\/strong><\/h3>\n\n\n\n<p>The company hired an incident response firm, Mandiant, who&nbsp;<a href=\"https:\/\/www.mandiant.com\/resources\/blog\/3cx-software-supply-chain-compromise\">released a report<\/a>&nbsp;earlier this week confirming that 3CX was involved in a double supply chain compromise.<\/p>\n\n\n\n<p>The&nbsp;<a href=\"https:\/\/www.mandiant.com\/resources\/blog\/3cx-software-supply-chain-compromise\">report<\/a>&nbsp;details:<\/p>\n\n\n\n<p><em>\u201cIn&nbsp;late March, 2023, a software supply chain compromise spread malware via a trojanized version of 3CX\u2019s legitimate software that was available to download from their website\u2026<\/em><\/p>\n\n\n\n<p><em>\u201cMandiant Consulting\u2019s&nbsp;investigation of the 3CX supply chain compromise&nbsp;has uncovered the initial intrusion vector: a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER\u2026<\/em><\/p>\n\n\n\n<p><em>\u201cThe identified software supply chain compromise is the first we are aware of which has led to a cascading software supply chain compromise. It shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions as demonstrated in this investigation.<\/em><\/p>\n\n\n\n<p><em>\u201cResearch on UNC4736 activity suggests that it is most likely linked to financially motivated North Korean threat actors. Cascading software supply chain compromises demonstrate that North Korean operators can exploit network access in creative ways to develop and distribute malware, and move between target networks while conducting operations aligned with North Korea\u2019s interests.\u201d<\/em><\/p>\n\n\n\n<p>3CX has more than 600,000 customers and 12 million global users.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>What to Do if You\u2019re a 3CX Customer<\/strong><\/h3>\n\n\n\n<p>We recommend that all 3CX customers who use the desktop application immediately:<\/p>\n\n\n\n<p>1. Find and terminate all running 3CX processes on Windows, macOS, Linux, and mobile systems.<\/p>\n\n\n\n<p>2. Find and remove all instances of the 3CX Desktop App on Windows, macOS, Linux, and mobile systems.<\/p>\n\n\n\n<p>3. Use the 3CX web application\/Web App (PWA) instead of the desktop application for now.<\/p>\n\n\n\n<p>4. Use an EDR solution to identify existing indicators of compromise (IoC\u2019s) associated with 3CX using YARA rules or file hashes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Get Help From the Experts<\/strong><\/h3>\n\n\n\n<p>If you need help recovering from a cyber incident,&nbsp;<a href=\"https:\/\/3bdatasecurity.com\/contact.php\">get in touch with our expert team today<\/a>.<\/p>\n\n\n\n<p>At 3B Data Security, we have extensive experience and expertise gained from conducting a wide variety of incident response and data breach investigations ranging in size and complexity.<\/p>\n\n\n\n<p>With our support and guidance, we can effectively investigate the incident and determine how the attackers have been able to exploit your environment. With this knowledge, we can then advise you on proactive measures to put in place to prevent an incident like this from occurring again.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-resized\"><a href=\"https:\/\/3bdatasecurity.com\/contact.php\" target=\"_blank\" rel=\"noreferrer noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"284\" src=\"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-CTAs-4-1024x284.png\" alt=\"Contact Us\" class=\"wp-image-201\" style=\"width:214px;height:auto\" srcset=\"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-CTAs-4-1024x284.png 1024w, https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-CTAs-4-300x83.png 300w, https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-CTAs-4-768x213.png 768w, https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-CTAs-4.png 1080w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Last month, multiple cyber security companies reported malicious activity of a trojanised version of the\u00a03CX Desktop App that clients were using to make VoIP calls. <\/p>\n","protected":false},"author":5,"featured_media":394,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[20],"class_list":["post-393","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-attacks","tag-cyber-attack"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>3CX breached by double supply chain attack, find out more<\/title>\n<meta name=\"description\" content=\"Last month, cyber security companies reported malicious activity of a trojanised version of the\u00a03CX Desktop App.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/3bdatasecurity.com\/3bds-blog\/3cx-breached-by-double-supply-chain-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"3CX breached by double supply chain attack, find out more\" \/>\n<meta property=\"og:description\" content=\"Last month, cyber security companies reported malicious activity of a trojanised version of the\u00a03CX Desktop App.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/3bdatasecurity.com\/3bds-blog\/3cx-breached-by-double-supply-chain-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"3B Data Security Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/3BDSLtd\/\" \/>\n<meta property=\"article:published_time\" content=\"2023-04-21T08:28:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-11-06T15:11:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-Featured-Image-13.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2000\" \/>\n\t<meta property=\"og:image:height\" content=\"600\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Annabelle Ilsley\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@3bData\" \/>\n<meta name=\"twitter:site\" content=\"@3bData\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Annabelle Ilsley\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/3cx-breached-by-double-supply-chain-attack\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/3cx-breached-by-double-supply-chain-attack\\\/\"},\"author\":{\"name\":\"Annabelle Ilsley\",\"@id\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/#\\\/schema\\\/person\\\/f979fb9a97552f3b19fcb5a9b61349a6\"},\"headline\":\"3CX Breach Caused by Double Supply Chain Attack\",\"datePublished\":\"2023-04-21T08:28:00+00:00\",\"dateModified\":\"2024-11-06T15:11:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/3cx-breached-by-double-supply-chain-attack\\\/\"},\"wordCount\":514,\"image\":{\"@id\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/3cx-breached-by-double-supply-chain-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/Blog-Featured-Image-13.png\",\"keywords\":[\"cyber attack\"],\"articleSection\":[\"Cyber Attacks\"],\"inLanguage\":\"en-GB\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/3cx-breached-by-double-supply-chain-attack\\\/\",\"url\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/3cx-breached-by-double-supply-chain-attack\\\/\",\"name\":\"3CX breached by double supply chain attack, find out more\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/3cx-breached-by-double-supply-chain-attack\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/3cx-breached-by-double-supply-chain-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/Blog-Featured-Image-13.png\",\"datePublished\":\"2023-04-21T08:28:00+00:00\",\"dateModified\":\"2024-11-06T15:11:06+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/#\\\/schema\\\/person\\\/f979fb9a97552f3b19fcb5a9b61349a6\"},\"description\":\"Last month, cyber security companies reported malicious activity of a trojanised version of the\u00a03CX Desktop App.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/3cx-breached-by-double-supply-chain-attack\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/3cx-breached-by-double-supply-chain-attack\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/3cx-breached-by-double-supply-chain-attack\\\/#primaryimage\",\"url\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/Blog-Featured-Image-13.png\",\"contentUrl\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/Blog-Featured-Image-13.png\",\"width\":2000,\"height\":600,\"caption\":\"3CX Breach Caused by Double Supply Chain Attack\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/3cx-breached-by-double-supply-chain-attack\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"3CX Breach Caused by Double Supply Chain Attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/#website\",\"url\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/\",\"name\":\"3B Data Security Blog\",\"description\":\"News and Updates from 3B Data Security\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/#\\\/schema\\\/person\\\/f979fb9a97552f3b19fcb5a9b61349a6\",\"name\":\"Annabelle Ilsley\",\"url\":\"https:\\\/\\\/3bdatasecurity.com\\\/3bds-blog\\\/author\\\/ag3bds\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"3CX breached by double supply chain attack, find out more","description":"Last month, cyber security companies reported malicious activity of a trojanised version of the\u00a03CX Desktop App.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/3bdatasecurity.com\/3bds-blog\/3cx-breached-by-double-supply-chain-attack\/","og_locale":"en_GB","og_type":"article","og_title":"3CX breached by double supply chain attack, find out more","og_description":"Last month, cyber security companies reported malicious activity of a trojanised version of the\u00a03CX Desktop App.","og_url":"https:\/\/3bdatasecurity.com\/3bds-blog\/3cx-breached-by-double-supply-chain-attack\/","og_site_name":"3B Data Security Blog","article_publisher":"https:\/\/www.facebook.com\/3BDSLtd\/","article_published_time":"2023-04-21T08:28:00+00:00","article_modified_time":"2024-11-06T15:11:06+00:00","og_image":[{"width":2000,"height":600,"url":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-Featured-Image-13.png","type":"image\/png"}],"author":"Annabelle Ilsley","twitter_card":"summary_large_image","twitter_creator":"@3bData","twitter_site":"@3bData","twitter_misc":{"Written by":"Annabelle Ilsley","Estimated reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/3cx-breached-by-double-supply-chain-attack\/#article","isPartOf":{"@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/3cx-breached-by-double-supply-chain-attack\/"},"author":{"name":"Annabelle Ilsley","@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/#\/schema\/person\/f979fb9a97552f3b19fcb5a9b61349a6"},"headline":"3CX Breach Caused by Double Supply Chain Attack","datePublished":"2023-04-21T08:28:00+00:00","dateModified":"2024-11-06T15:11:06+00:00","mainEntityOfPage":{"@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/3cx-breached-by-double-supply-chain-attack\/"},"wordCount":514,"image":{"@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/3cx-breached-by-double-supply-chain-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-Featured-Image-13.png","keywords":["cyber attack"],"articleSection":["Cyber Attacks"],"inLanguage":"en-GB"},{"@type":"WebPage","@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/3cx-breached-by-double-supply-chain-attack\/","url":"https:\/\/3bdatasecurity.com\/3bds-blog\/3cx-breached-by-double-supply-chain-attack\/","name":"3CX breached by double supply chain attack, find out more","isPartOf":{"@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/3cx-breached-by-double-supply-chain-attack\/#primaryimage"},"image":{"@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/3cx-breached-by-double-supply-chain-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-Featured-Image-13.png","datePublished":"2023-04-21T08:28:00+00:00","dateModified":"2024-11-06T15:11:06+00:00","author":{"@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/#\/schema\/person\/f979fb9a97552f3b19fcb5a9b61349a6"},"description":"Last month, cyber security companies reported malicious activity of a trojanised version of the\u00a03CX Desktop App.","breadcrumb":{"@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/3cx-breached-by-double-supply-chain-attack\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/3bdatasecurity.com\/3bds-blog\/3cx-breached-by-double-supply-chain-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/3cx-breached-by-double-supply-chain-attack\/#primaryimage","url":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-Featured-Image-13.png","contentUrl":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-Featured-Image-13.png","width":2000,"height":600,"caption":"3CX Breach Caused by Double Supply Chain Attack"},{"@type":"BreadcrumbList","@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/3cx-breached-by-double-supply-chain-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/3bdatasecurity.com\/3bds-blog\/"},{"@type":"ListItem","position":2,"name":"3CX Breach Caused by Double Supply Chain Attack"}]},{"@type":"WebSite","@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/#website","url":"https:\/\/3bdatasecurity.com\/3bds-blog\/","name":"3B Data Security Blog","description":"News and Updates from 3B Data Security","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/3bdatasecurity.com\/3bds-blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Person","@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/#\/schema\/person\/f979fb9a97552f3b19fcb5a9b61349a6","name":"Annabelle Ilsley","url":"https:\/\/3bdatasecurity.com\/3bds-blog\/author\/ag3bds\/"}]}},"_links":{"self":[{"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/posts\/393","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/comments?post=393"}],"version-history":[{"count":1,"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/posts\/393\/revisions"}],"predecessor-version":[{"id":395,"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/posts\/393\/revisions\/395"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/media\/394"}],"wp:attachment":[{"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/media?parent=393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/categories?post=393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/tags?post=393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}