Security News
3CX Supply Chain Attack: 8 Biggest Things To Know
Kyle Alspach
We break down what you need to know about the compromise of widely used phone system software from 3CX, which is being likened to the attacks on SolarWinds and Kaseya.
Potentially ‘Massive’ Attack
The supply chain compromise of a widely used VoIP phone system vendor, 3CX, has led to attacks against numerous customers and prompted comparisons to some of the largest breaches in recent memory — including the 2020 attack on SolarWinds and the 2021 breach of Kaseya. And it could end up being an even bigger supply chain attack than SolarWinds, given that 3CX reports having more than 600,000 customers, double the number of SolarWinds customers at the time of the attack on that company.
At the same time, the 3CX attack — which was first caught earlier this week by threat hunters at CrowdStrike — was discovered much sooner than the attack against SolarWinds, taking only weeks to be caught instead of months, said Adam Meyers, head of intelligence at CrowdStrike, in an interview with CRN. “This gives you some sense that some of us are stepping up and catching these things in a much faster cadence,” Meyers said.
[Related: 3CX Supply Chain Attack: Big Questions Remain ]
Both the Windows and macOS versions of the 3CX app are affected, executives from 3CX acknowledged Thursday. Reports from researchers at numerous security vendors since Wednesday have pointed to an active campaign using a compromised version of the 3CX app to target the company’s customers. Major customers listed by 3CX include American Express, McDonald’s, Coca-Cola, NHS, Toyota, BMW and Honda.
Researchers from CrowdStrike, Sophos and SentinelOne disclosed that they’ve observed malicious activity originating from a trojanized version of the desktop VoIP app from 3CX. CRN has reached out to 3CX for comment.
Researchers from CrowdStrike have attributed the attack to a group working on behalf of the North Korean government.
Ultimately, “this has the potential to be a massive supply chain attack, likened well enough to the SolarWinds incident or the Kaseya VSA ransomware attack in years past,” wrote John Hammond, senior security researcher at Huntress, in a post Thursday.
Like with the SolarWinds breach, the 3CX attack poses a major concern because “the attacker needs to only carry off one successful attack to get their bad code somewhere, and then thousands of people download that bad code,” said Christopher Budd, senior manager of threat research at Sophos, an interview with CRN Thursday. “If I wanted to compromise 100 companies, my choices are to carry out 100 attacks — or figure out where those 100 companies are going to get [an application] and download it, and carry off one attack, and get them to download it for me.”
What follows are the eight biggest things you need to know about the 3CX supply chain attack.
