Security
 | 4 min read

3CX cyber-attack highlights the risk around third-parties

By  Kordia,
 3 April 2023

Reports of a new supply chain attack targeting customers of a phone system have emerged over the last week – which saw 12million global users across 600,000 organisations at risk.

Multiple security firms and Government agencies have now issued advisories about an active supply chain attack on 3CX’s widely used voice and video-calling client. The attack involves the delivery of trojanised 3CXDesktopApp installers to install malware inside corporate networks of 3CX’s customers.

Alastair Miller, Principal Consultant at Aura Information Security, says hackers are strategically targeting MSP and software vendors to get access to their customers.
“These supply chain attacks are usually carried out by sophisticated attackers - often state or state affiliated actors, but some criminal groups have been known to use this method. Supply chain attacks are often seen as an easier way to get into otherwise advanced cybersecurity environments.”

The malware deployed within 3CX’s software has capabilities to harvest system information and steal data and stored credentials from Google Chrome, Microsoft Edge, Brave and Firefox user profiles. Other observed malicious activity, according to Crowdstrike, includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads and, in a small number of cases, hands-on-keyboard activity. 

Miller says this is typical of this type of attack.

“Generally, the bad actors that launch these sorts of attack are more interested in obtaining information rather than looking for an attempt to extort someone.” 

Perhaps most worrying is that the vulnerability seemed to evade 3CX at first. The compromised version of the 3CX desktop app had been signed with a valid digital certificate – which means that the company had pushed the version out, not knowing it was impacted by the malware.

Recent research from Kordia suggests that third party cyber-attacks are a huge issue for Kiwi businesses. According to survey findings, 28% of businesses attacked in the past 12 months pointed to third parties as the reason behind the incident. 

“This is just one of a long list of recent high-profile supply chain attacks,” says Miller, noting the similarities between 3CX and the SolarWinds and Kaseya hacks.
“The number of third-party attacks will continue to grow as attackers reap the benefit of using these vendors as a “backdoor” into multiple victim organisations.” 

Miller says Kiwi businesses are at risk of such attacks and should be putting in mitigations around them. 

“Supply chain attacks are very hard to stop, so your best course of action is to plan ahead. Every business should be undertaking a risk assessment of their supply chain as part of their ongoing cyber security programme, as well as ongoing monitoring around activity in third party environments,” he says. 

“Creating a business continuity plan for third party services will help you react faster if there is a third-party incident, as well as mitigate any damage done to your organisation.” 

Miller also advises pushing vendors to disclose their own defensive measures, especially during procurement stages.

“You should be asking your vendors for evidence of their track record when it comes to cyber security, to ensure they are following best practice. You need to have a level of confidence that any access they have to your systems and data will be protected to the best of their ability before you entrust them with your business.”

Need help with a third-party cyber security risk analysis? Aura Information Security can support you to assess your supply chain and develop recommendations to reduce risk. Kordia also offers managed services from our Cyber Defence Operations that can help secure your business against third party attacks. Reach out to your Aura or Kordia account manager for more information.