The compromise of the 3CX communication software made history as the first-ever publicly documented incident of one supply-chain attack leading to another. Two critical infrastructure organizations in the energy sector and two organizations in the financial sector are among the confirmed victims.
A supply-chain attack attempts to evade cybersecurity defenses by infiltrating a victim’s system through a trusted external provider’s software update mechanisms.
The campaign targeting 3CX started with a trojanized version of the unsupported X_TRADER financial software. This subsequently led to the compromise of the company, its software, and its customers. Data from ESET telemetry suggest that there were hundreds of malicious 3CX applications used by clients.
Once the X_TRADER software with trojanized Dynamic Link Library (DLL) is installed, it gathers information, steals data, including credentials from several browsers, and enables the attackers to issue commands on a breached computer. This unprecedented access was also used to compromise 3CX’s software, using it to deliver information-stealing malware to corporate customers of the company.
While investigating the related campaign called Operation DreamJob targeting Linux users, ESET researchers found links to the Lazarus group, a North Korea-aligned threat actor.
However, the question is, how can a company defend itself in cases when all its security layers are in place but the danger comes from a provider or a trusted partner?
How did the malware spread?
X_TRADER is a professional financial trading tool developed by Trading Technologies. The company decommissioned this software in April 2020, but it remained available to download even in 2022. Meanwhile, during that time, the vendor’s website was compromised, offering a malicious download instead. Lazarus probably penetrated Trading Technologies in 2022. While Trading Technologies stated that their clients received multiple communications over an 18-month sunset period notifying them that the company would no longer support or service X_Trader beyond April 2020, it seemingly fell on deaf ears as people continued to download the software, which was now compromised.
“There was no reason for anyone to download the software given that TT stopped hosting, supporting, and servicing X_Trader after early 2020,” reads their statement. The company further disclosed that fewer than 100 individuals downloaded the compromised X_Trader package between Nov. 1, 2021, and July 26, 2022–a small number, but one that has had a cumulative effect.
One of the individuals who downloaded X_Trader was a 3CX employee, who installed the compromised software on their personal computer. The software contains malware that ESET detects as Win32/NukeSped.MO (aka VEILEDSIGNAL).
“Following the initial compromise of the employee’s personal computer using VEILEDSIGNAL malware, Mandiant assesses the threat actor stole the employee’s 3CX corporate credentials from his system. VEILEDSIGNAL is a fully featured malware that provided the threat actor with administrator-level access and persistence to the compromised system,” 3CX Chief Network Officer Agathocles Prodromou wrote on the company’s blog.
Several lessons can be learned from this story. Let’s start from the beginning:
1. Use verified and updated software from a legitimate source
The whole compromise started with an employee downloading a software app that had not been supported since April 2020. This should be a reminder of why it is crucial to use verified and updated software, as unsupported software can be easily exploited.
When downloading software, compare its hash with the one provided by the vendor. Vendors often publish hashes beside download links, or you can contact them directly and ask for those hashes. If those hashes don’t match, you are downloading altered software.
Likewise, be sure you are downloading software from a legitimate website, because scammers can create a fake website impersonating the original one.
If you are unsure about the legitimacy of a file hash or a website, consider checking VirusTotal. It is a free search-engine-like tool that inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a myriad of tools to extract signals from the studied content. It can analyze files, domains, IP addresses, and URLs to tell whether a given antivirus solution detected a submitted file as malicious. It also runs samples in several sandboxes.
2. Make your employees less vulnerable
After the malicious software was installed on the 3CX employee’s personal computer, the attack progressed. Consequently, the threat actors were able to steal the employee’s credentials and penetrate 3CX’s entire corporate system.
The best practice to avoid such situations is to use data encryption and multi-factor authentication to ward off illegitimate access to enterprise systems, creating multiple layers of defense to make it much harder for crooks to gain access.
Similarly, access rights should be more tightly managed. There is no need for all employees to have the same access rights to all company environments. Certainly, admins and software engineers need broader access, but their access permissions can also differ.
Sensitive data should also be kept from employees’ devices and shared only through a secure cloud system, best protected by additional cloud and server security.
3. Follow a strong password policy
Having a strong password policy can go a long way in preventing attacks, but bullying your employees with constant password changes and extensive requirements for password complexity is unnecessary. The current trend is to replace standard passwords with passphrases, a more secure and harder-to-guess alternative to passwords.
In the past, a password that was considered strong had at least eight characters, including uppercase and lowercase letters, at least one number, and a special character. This approach caused a problem, as remembering dozens of different complex passwords across all used websites and devices was a pain, so people tended to reuse the same password in different places, leaving them more vulnerable to brute-force attacks and credential stuffing.
Therefore, experts no longer demand a string of random characters, but instead advise using phrases that are easy to remember. These passphrases should still contain numbers and special characters, including emojis, to prevent machines from guessing them easily. Passkeys are also an alternative worth mentioning, as they use encryption for higher protection.
4. Consider privileged access management
Privileged access management (PAM) prevents attackers from reaching privileged corporate accounts, such as those of managers, auditors, and admins, with access to sensitive data.
To defend such valuable accounts from being compromised, there should be some extra layers of protection: just-in-time access to critical resources, monitoring of privileged sessions, and stricter password policies, to name a few.
Suppliers and partners present a pathway to your system via a supply-chain attack. Therefore, establishing strict security requirements for them is a good idea. You may also conduct third-party data leak detections or a security assessment to find any data leaks and security holes before hackers can have a chance to exploit them.
5. Apply the latest patches
As part of the 3CX supply-chain attack, the threat actors exploited a vulnerability in a signature verification function in Windows that Microsoft fixed in 2013.
However, this case is specific because the fix is optional, probably due to a concern that applying the fix means Windows no longer verifies the signatures of non-compliant files. This gives hackers ample room to act as, in order to trojanize the 3CX app, the attackers inserted malicious code into two DLLs used by it in such a way that vulnerable Windows systems would still verify the signatures.
Fixing vulnerabilities by vendors is key in preventing threats, so whenever possible, get the latest security patches and app and OS updates as soon as they are available.
6. Set your security standards high
Start with proper antimalware software. Leading cybersecurity solutions offer multilayered protection that can recognize known threats before their download or execution.
In cases when malware has already infected a device, your protection should detect and respond to malware that may attempt to wipe files or encrypt them, such as wipers or ransomware.
Don’t forget to check whether you have the latest version of your endpoint protection.
The next step is to reduce your attack surface. As the 3CX attack demonstrates, vulnerabilities are not only a software issue–simple human error can just as well lead to devastating consequences.
Companies should also prepare security response plans for incidents. These usually include preparation, detection, response, recovery, and post-incident analysis. Likewise, don’t forget to continuously back up your files to ensure business continuity in case of a disruption.
Lesson learned: (Cyber)security is as much about humans as it is about software
The conclusion is clear: The 3CX attack demonstrated how insidious supply-chain attacks can be, but the most important matter it highlighted is that all it takes is a single act of human error, and the whole house of cards falls flat.
Hopefully, after reading this blog, you will better understand how to prepare against threats vectoring from software vendors and suppliers, and while human error is a given, a sound cybersecurity posture can at least alleviate most cyber fears.