The 3CX Breach: A Wake-up Call on the Risks of Software Supply Chain Attacks
3CX Breach: A Wake-up Call on the Risks of Supply Chain Attacks
Mandiant, a well-known cyberattack investigator disclosed findings that suggest the 3CX supply chain compromise had an unprecedented cause: A prior software supply chain attack.
What makes this attack stands out compared to the SolarWinds attack in 2020 is, that a previous software supply chain attack, led to this attack. First a software package distributed by a financial software firm, Trading Technologies has been tampered with, then the 3CX breach happened based on that.
As a cybersecurity company, we have seen many companies fall victim to software supply chain attacks. However, the recent breach of 3CX has brought the issue to the forefront of many people’s minds. In this article, we will discuss how the 3CX breach happened, the impact of software supply chain attacks, and how to prevent them.
When reading, please keep in mind that Log4J is still out there big time, and attacks piggybacking on previous attacks will be a pattern soon.
Image Source: FreeImages
How the 3CX Breach Happened
3CX Desktop App is an enterprise software providing chat, video calls, and voice calls. In late March 2023, a malicious component slipped into certain versions of the Electron App as part of the bundled libraries used. The released software was released and published on the vendor's website. All of that sounds very similar to the SolarWinds hack back in 2020.
The software now included the unwanted malware that contained a downloader installing additional software that eventually allowed the attacker to gain access to the networks and data of 3CX customers who had installed the infected updates.
The attack on 3CX is a clear example of a software supply chain attack using manipulated public software libraries.
"Mandiant Consulting identified an installer with the filename X_TRADER_r7.17.90p608.exe (MD5: ef4ab22e565684424b4142b1294f1f4d) which led to the deployment of a malicious modular backdoor: VEILEDSIGNAL.
Although the X_TRADER platform was reportedly discontinued in 2020, it was still available for download from the legitimate Trading Technologies website in 2022. This file was signed with the subject “Trading Technologies International, Inc” and contained the executable file Setup.exe that was also signed with the same digital certificate." VEILEDSIGNAL Backdoor Analysis, mandiant.com
"The attacker used a compiled version of the publicly available Fast Reverse Proxy project, to move laterally within the 3CX organization during the attack. The file MsMpEng.exe (MD5: 19dbffec4e359a198daf4ffca1ab9165), was dropped in C:\Windows\System32 by the threat actor."
Software Supply Chain Best Practices
From a DevSecOps perspective, there are several countermeasures that can be implemented to prevent similar attacks:
-
Secure software supply chain management: It is essential to ensure that all third-party libraries and components used in software development are properly vetted and verified for security vulnerabilities. A rigorous vetting process can be implemented to evaluate the security of libraries, and only trusted libraries with no known vulnerabilities should be used in the development process. Having dynamic and actionable SBOM information is important.
-
Code review: A thorough code review process can help detect any malicious code that may have been included in the software. Code reviews should be conducted regularly and should include both automated and manual testing to detect any vulnerabilities.
-
Continuous integration and deployment (CI/CD): Implementing a CI/CD pipeline can help automate the software development process and ensure that all code changes are tested and verified for security vulnerabilities before deployment. Furthermore, CI/CD pipeline are great to implement provenance and policies. Block unknown and untrusted components as early as possible.
-
Least privilege access: Users and applications should only have access to the minimum required resources and permissions to perform their tasks. This can limit the attack surface and minimize the impact of any potential security breaches.
-
Endpoint security: Endpoint security measures such as antivirus software, intrusion detection systems, and firewalls can help detect and prevent attacks on individual endpoints.
-
Incident response plan: An effective incident response plan can help detect and respond to security incidents quickly and effectively, minimizing the impact of any potential breaches. The plan should include clear procedures for identifying and mitigating security breaches, as well as guidelines for communicating with customers and stakeholders.
Provenance is key
Provenance helps establish the origin and history of the software components used in the development process. It is critical to know where the software components come from, who developed them, and what changes were made to them to ensure they are trustworthy and secure. Don't simply trust the digital signature!
In the case of the 3CX attack, the malicious component was introduced into certain versions of the Electron App through manipulated public software libraries. If the provenance of these libraries had been properly verified, the attack may have been prevented. Knowing the origin of the libraries and the changes made to them could have helped identify any potential vulnerabilities or malicious code.
Provenance also helps with accountability in case of security breaches. By tracking the origin and history of software components, it is easier to identify the parties responsible for any security issues and hold them accountable.
In summary, provenance is crucial in software development because it helps ensure the security and trustworthiness of the software components used, and it provides a clear accountability trail in case of security breaches.
Trustcenter is about Provenance
Provenance is a critical factor in preventing supply chain attacks. Trustcenter is an excellent solution that emphasizes the importance of provenance by providing a secure platform for software vendors to distribute their products. The platform uses robust code signing and secure distribution methods to guarantee the authenticity and integrity of the software during distribution.
By emphasizing the importance of provenance, Trustcenter helps organizations verify the authenticity of the software they receive and detect any tampering attempts during distribution. This reduces the risk of supply chain attacks and increases the trustworthiness of the software components used in the development process.
In conclusion, the 3CX breach underscores the importance of provenance in preventing supply chain attacks. To mitigate the risk of supply chain attacks, organizations should conduct supply chain risk assessments, implement secure development practices, and prioritize software integrity verification. Network segmentation and employee training are also essential. Moreover, solutions like Trustcenter provide an additional layer of protection by ensuring the authenticity and integrity of the software components used in the development process.