Type
Incident
Actors
Pub. date
March 29, 2023
Initial access
Unknown
Impact
Supply chain attack
References
https://zetter.substack.com/p/updates-and-timeline-for-3cx-andhttps://zetter.substack.com/p/software-maker-3cx-was-compromisedhttps://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/https://www.wired.com/story/3cx-supply-chain-attack-north-korea-cryptocurrency-targets/https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/https://www.3cx.com/blog/news/security-incident-updates/https://www.bleepingcomputer.com/news/security/cryptocurrency-companies-backdoored-in-3cx-supply-chain-attack/
Status
Featured
Last edited
Jun 2, 2024 11:58 AM
In March 2023, a North Korean threat actor (dubbed “SmoothOperator”) gained access to 3CX (VoIP vendor) and inserted a backdoor into their desktop product, which was used for targeting some of their customers - primarily crypto companies. Researchers later discovered 3CX themselves were infected via a supply chain attack on another company called Trading Technologies that occurred in November 2021.
Takeaways
- For end-users – prefer web apps to desktop apps (wherever feasible)
- For vendors – enforce app allowlisting on endpoints (wherever feasible)