The average ransomware loss hit $353,000 this year 📈

Security Incident Retrospective: The 3CX Supply Chain Attack

Coalition Security Incident Retrospective: The 3CX Supply Chain Attack

In late March 2023, news broke that attackers were using 3CX’s desktop client to target customers in a supply chain attack. But the attack continues to fail to reach the status of "old news," as new and unexpected developments seem to crop up every few days.

If you’re unfamiliar, 3CX is a Voice over Internet Protocol (VOIP) software phone (softphone) provider, a technology that allows employees at organizations to make calls via the internet rather than a traditional phone line. Unfortunately, VOIP technology is especially enticing for a supply chain attack because while the softphone clients can be downloaded from 3CX directly, they can also be propagated to an organization’s 3CX server. Then, the software can be distributed to employees en masse. Herein lies our problem. 

Mandiant, the cybersecurity firm hired to investigate the incident and its root cause, called the 3CX breach the first confirmed instance of a "double-supply chain attack" – an event even dubbed a "supply-chain chain reaction" – where one software-supply-chain attack enabled another. 

The 3CX compromise is an interesting use case to analyze because, while this attack method is seemingly new, it is an understandable evolution in attacker technique developments, largely because of its similarities to other past, high-profile compromises.

Everything old is new again 

Following the 3CX breach, observant security practitioners may have noticed similarities to the attacks on SolarWinds, LastPass, and even Stuxnet — minus the physical damage to centrifuges. 

In the case of SolarWinds, the attackers relied on the regular distribution of software updates to propagate the exploited software onto customer systems. As mentioned, 3CX deploys updates in a very similar fashion.

While the two attacks differ, it’s not unreasonable to assert that SolarWinds acted as a proof of concept for large-scale supply chain attacks and provided a baseline of how to effectively propagate malware to a customer base using a product’s valid pre-existing flows. It’s also worth noting that following the SolarWinds breach, Gartner predicted that "by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021." 

Threat actors breached LastPass infrastructure via an employee’s personal system, allegedly via the employee’s Plex Media Platform (then, Plex reported a data breach shortly after the initial LastPass breach). After leveraging the employee’s machine for access, the threat actors then used it as a pivot point into LastPast’s infrastructure when the employee next connected. 

We saw similar pivots with the attack on 3CX, where an employee’s personal computer was compromised after they downloaded a malicious version of X_Trader, an end-of-life financial software application. 

In December 2022, LastPass announced a secondary breach related to the initial access in August. While there is no reason to believe we will see imminent follow-on supply chain breaches from the attack on 3CX, it’s hard to determine the long-tail ramifications of this breach, and it may provide attackers with additional opportunities to pivot or compromise additional networks. 

Finally, the Stuxnet computer worm, which exploited multiple Windows zero-day vulnerabilities, started spreading in 2009 but was discovered a year later in June 2010. Despite the widespread nature of the Stuxnet infection, it only impacted a minimal set of actual targets, notably Iranian power plants. Similarly, 3CX involved a secondary malware payload that was only triggered in a handful of instances, all of which were cryptocurrency companies. This is an interesting tactic as it involves pivoting from the initial widespread infection of opportunistic targets to exceptionally specific targets of choice.

The international stage

Initial analysis showed a key in the malware that traced its origins back to North Korean state-sponsored threat actors, with Mandiant confirming the initial analysis and attribution

North Korea is embargoed by the Office of Foreign Assets Control (OFAC), making the payment of ransoms by U.S. companies or the facilitation of ransom payments by U.S. companies illegal. When asked why he robbed banks, the infamous thief Willie Sutton replied, "Because that’s where the money is." In effect, the same is likely the case for why threat actors specifically targeted cryptocurrency companies. There are recent claims that North Korea-affiliated attackers have stolen $721 million in cryptocurrency assets from Japan since 2017, which would indicate that they have prepared to pivot to a secondary attack if a form of cryptocurrency was detected.

"Robbing a bank" in cryptocurrency terms simply means to transact with another address. Since crypto transactions aren’t reversible, an unauthorized transaction, at its core, is stealing. Directly securing the funds via an illegal act versus attempting to secure a ransom payment from an illegal act helps attackers sidestep the implications of trying to navigate the legal repercussions of dealing with an embargoed country like North Korea.

Rinse and repeat

In this particular supply chain attack on 3CX, you can see attributes of the other attacks we’ve described above, and there’s no reason to think that we won’t see the permutations of the attacks like these in the future. The ability to chain several styles of attacks together gives attackers multiple tactics to employ to further their campaigns, depending on their end goals.

Previous reports have alleged that North Korea’s Lazarus Group reuses stolen malware in its attacks. As early as 2017, Lazarus reportedly used open-source code from reputable organizations in their hacks. Reconfigured and reused malware may seem unsophisticated, but it allows threat actor groups to evade detection — even minor changes to a reused malware can alter the “signature” so that traditional antivirus tools will fail to detect it. 

What you need to know moving forward

Mandiant notes in their concluding analysis of the 3CX breach that cascading supply chain compromises ”can exploit network access in creative ways to develop and distribute malware, and move between target networks." While not definitive, this strongly suggests that even if the 3CX breach has finished unfolding, threat actors will likely employ cascading supply chain attacks in the future, especially with sufficient financial motivation. 

Security decision-makers have a lot on their plate. Even organizations that do not support remote or hybrid work models likely need to provide access to third parties such as vendors, customers, or contract employees. Every employee or third party that accesses company data using personal devices creates risk. This can be especially true for supply chain organizations, where a network compromise can allow threat actors to pivot to target hundreds or thousands of additional victims.

Security practitioners are already aware of these risks associated with 'Bring-Your-Own-Device' (BYOD) operations, and this attack only further highlights that risk. While the fast-paced nature of today’s digital economy often necessitates some level of BYOD support, organizations should be mindful of the risk they accept in doing so. 

Get in Control

Control 2.0 is our cyber risk management platform powered by Coalition's Active Risk approach that helps to detect, assess, and mitigate risks before they strike.

Included in Control 2.0 is Vendor and Third-Party Monitoring, a feature that allows organizations to keep a careful eye on the companies and suppliers they partner with, helping to mitigate the risk of supply chain disruptions. These insights can help security decision-makers understand the ramifications of third-party risk for their organizations and respond accordingly.

Get in Control today.


Insurance products referenced herein are offered by Coalition Insurance Solutions, Inc. (“CIS”), a licensed insurance producer with its principal place of business in San Francisco, CA (Cal. license #0L76155), acting on behalf of a number of unaffiliated insurance companies. A list of our admitted carriers is available here. Complete license information for CIS is available here. Insurance products offered through CIS may not be available in all states. All insurance products are governed by the terms and conditions set forth in the applicable insurance policy. Please see a copy of your policy for the full terms and conditions. Any information on this communication does not in any way alter, supplement, or amend the terms and conditions of the applicable insurance policy and is intended only as a brief summary of such insurance products. Policy obligations are the sole responsibility of the issuing insurance carrier. The descriptions provided herein are solely for informational purposes and are not to be construed as advice of any kind or the rendering of consulting, financial, legal, or other professional services from Coalition. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.