3CX Supply Chain Attack
What is 3CX Supply Chain Attack?
3CX Supply Chain AttackA March 2023 cascading supply-chain attack in which North Korean actors trojanized the 3CX softphone, reaching downstream customers worldwide.
In March 2023, Mandiant and CrowdStrike disclosed that the 3CX DesktopApp softphone, used by more than 600,000 organizations, had been trojanized with a backdoor called TAXHAUL / SUDDENICON. The compromise traced back to an earlier breach of Trading Technologies' X_TRADER software via a malicious installer, marking the first publicly documented cascading software supply-chain attack. The activity was attributed to North Korea's UNC4736, a cluster associated with Lazarus. Infected 3CX builds delivered an information stealer named ICONIC STEALER and Gopuram, with a focus on cryptocurrency firms. Remediation required uninstalling affected versions, deploying patched 3CX builds and hunting for follow-on implants.
● Examples
- 01
A signed but trojanized 3CX update deploys ICONIC STEALER to harvest browser data on a finance team's laptops.
- 02
Defenders block 3CX update endpoints and rebuild affected workstations after the Mandiant advisory.
● Frequently asked questions
What is 3CX Supply Chain Attack?
A March 2023 cascading supply-chain attack in which North Korean actors trojanized the 3CX softphone, reaching downstream customers worldwide. It belongs to the Vulnerabilities category of cybersecurity.
What does 3CX Supply Chain Attack mean?
A March 2023 cascading supply-chain attack in which North Korean actors trojanized the 3CX softphone, reaching downstream customers worldwide.
How does 3CX Supply Chain Attack work?
In March 2023, Mandiant and CrowdStrike disclosed that the 3CX DesktopApp softphone, used by more than 600,000 organizations, had been trojanized with a backdoor called TAXHAUL / SUDDENICON. The compromise traced back to an earlier breach of Trading Technologies' X_TRADER software via a malicious installer, marking the first publicly documented cascading software supply-chain attack. The activity was attributed to North Korea's UNC4736, a cluster associated with Lazarus. Infected 3CX builds delivered an information stealer named ICONIC STEALER and Gopuram, with a focus on cryptocurrency firms. Remediation required uninstalling affected versions, deploying patched 3CX builds and hunting for follow-on implants.
How do you defend against 3CX Supply Chain Attack?
Defences for 3CX Supply Chain Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for 3CX Supply Chain Attack?
Common alternative names include: 3CX DesktopApp compromise, TAXHAUL, SUDDENICON.
● Related terms
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
- malware№ 080
Backdoor
A covert mechanism that bypasses normal authentication or access controls to give an attacker future entry to a system.