3CX, the developer of the widely-used 3CX softphone client and PBX management software, disclosed on the 29th of March that the company's softphone application installer for both Windows and macOS had been compromised in a supply-chain attack (3CX statement, CrowdStrike preliminary analysis, March 29, SentinelOne analysis). The compromised installer carried a backdoor that, post-installation on customer endpoints, communicated with attacker-controlled command-and-control infrastructure and downloaded subsequent payload stages. The threat-actor attribution has firmed up to UNC4736, a cluster associated with Lazarus Group / North Korean state intelligence, with multiple security-research firms producing converging attribution.
The technical content. The compromise mechanism appears to have included an upstream supply-chain element — Mandiant's analysis (Mandiant on UNC4736 / X_TRADER, April) indicates that the 3CX-side compromise was itself produced by 3CX engineers having installed a backdoored version of X_TRADER, a separate trading software product that had been compromised in an earlier supply-chain attack against its developer. The supply-chain-of-supply-chains pattern is operationally novel and is the part of the case that has produced the most substantive subsequent strategic conversation.
The deployment population. 3CX's customer base is approximately 600,000 organisations and 12 million daily users, on the company's published figures. The compromise distributed the backdoored installer through 3CX's normal update mechanism for several weeks before discovery, which produces a substantial population of customer organisations potentially affected. The actual operator-side post-compromise activity has, on the early reporting, been more selective than the distribution scope — most affected installations did not produce subsequent operator-side activity, with the operators' targeting being concentrated on specific high-value customers consistent with the Lazarus Group's typical economic-and-intelligence-collection priorities.
For the customer-portfolio response. The audit cycle this week has covered customer-organisation 3CX usage. We have one customer using 3CX (the manufacturer's UK operations use 3CX for internal-and-customer-side voice communication). The customer-side action has been the standard supply-chain-incident response — verification of the affected installer versions, removal of the affected versions, hunt activity for indicators-of-compromise consistent with the documented C2 communication pattern. The customer-organisation hunt activity has produced one indicator-of-interest that is in active investigation; the immediate disposition is uncertain but is being treated with appropriate seriousness.
The wider strategic point about DPRK-attributed supply-chain capability. The post-SolarWinds (Russian-attributed), post-NotPetya (Russian-attributed), post-3CX (North-Korean-attributed) pattern demonstrates that supply-chain-attack capability is now operationally available to multiple state-actor clusters with different geopolitical-and-economic-collection interests. The customer-organisation threat-modelling needs to incorporate the multi-actor-cluster supply-chain-risk dimension explicitly. The defensive disciplines — vendor-trust-verification, software-bill-of-materials, build-system-integrity, update-channel monitoring, downstream-effect monitoring — remain the substantive answer; the threat-actor population that will exercise these disciplines is broader than the post-SolarWinds conversations had typically envisaged.
The supply-chain-of-supply-chains pattern that the 3CX case has demonstrated will, I think, be a substantive theme through 2023 and beyond. The defensive question becomes — when the customer-organisation has comprehensive vendor-trust-verification on its direct vendor relationships, what about the second-degree dependency where the vendor's own vendor has been compromised? The transitive-trust question is operationally challenging and the practical answer is going to require substantial industry-and-regulatory work over the next several years.
I will return to this. The 3CX case will produce learning that the customer-organisation programmes will absorb through Q2 and beyond.