Case Study: 3CX Supply Chain Attack

In March 2023, the company 3CX, a provider of voice-over-IP solutions, was compromised by a threat actor attributed to North Korea (Lazarus/Hidden Cobra/Labyrinth Chollima). The actor then proceeded to infect 3CX build pipeline to use it as a supply chain attack to compromise third parties.

In this supply chain attack, the legitimate auto-updater for the 3CX desktop client would download trojanized DLLs from the 3CX website and become infected in the process. This would load a backdoor on the computer, starting automatically with the auto-launch version of the 3CX desktop software. In a few cases, presumably high-priority targets for the threat actor, follow-up actions on keyboard from malicious operators were observed.

In the case of CYDEF customers, we can say that one customer was affected, but no actions on keyboard were taken. However, we could only identify the customer after the attack became public; here is why.

Where CYDEF can’t help

Because this attack occurred mainly in memory (via loading DLLs) in a manner very similar to an update process, we did not initially flag the activity as malicious. Neither did other vendors. 3CX even identified the attack as a false positive.

In fact, we had seen similar activity from this process multiple times.

How CYDEF does help

  1. First, once the malicious indicators were published, we could quickly validate if any of our clients were affected via the IoC explorer available in our customer portal. In the IoC explorer, we could also tell when the malicious updates were loaded. Should the customer require additional incident investigation, this scoping of the timeline would have been very useful. However, additional incident investigation was not required in this case because of the second benefit.
  2. Second, because we track all behavioural activity, we can confirm that no additional malicious activity other than the DLL drop (e.g., actions on keyboard) had occurred on the affected customer’s system. . This helped the customer maintain an appropriate scope when performing remediation actions.Other vendors may be able to do this, but it tends to be a very costly and time-consuming process.

CYDEF is unique because we built the only endpoint security solution based on exception management. As a result, we don’t score threats to determine what to investigate. Instead, we baseline ‘normal’ endpoint activities (Application Process and Behavior Analytics) and investigate all anomalies.

This highly procedural process ensures that 100% of your telemetry is reviewed. It’s a continuous threat hunting process with measurable, relevant outcomes.

The result is a simple, affordable, and more effective solution. And it’s managed for you.

Learn more

To learn more about our unique approach to endpoint security, contact us to book your discovery call today.