Risk & Repeat: Inside the 3CX supply chain attack

Unified communications vendor 3CX confirmed last week that it suffered a supply chain attack at the hands of an unnamed threat actor, but it remains unclear where the attack began.

3CX CISO Pierre Jourdan said in a blog post on March 30 that multiple versions of the vendor's Electron Windows App were affected by malicious code stemming from an apparent "targeted attack from an advanced persistent threat, perhaps even state sponsored, that ran a complex supply chain attack."

Jourdan also mentioned at the time that the attack appeared to involve "one of the bundled libraries that we compiled into the Windows Electron App via GIT." CEO Nick Galea said in a forum post on March 30 that the attack happened because an "upstream library we use became infected."

Initial reports from security vendors like SentinelOne and CrowdStrike revealed that the primary point of infection was a file titled "ffmpeg.dll," referencing multimedia framework FFmpeg. In response to this detail and the 3CX executives' statements, FFmpeg said via tweet that the open source project only handles source code and not compiled files. 3CX has seemingly backtracked from the "upstream library" statements since.

According to a CrowdStrike research blog originally published March 29, elements of the 3CX attack were consistent with a separate cyber attack in early March attributed to North Korean advanced persistent threat Lazarus Group. Additionally, a Kaspersky Lab blog post connected the campaign to attacks on cryptocurrency companies.

TechTarget editors Rob Wright and Alex Culafi discuss the 3CX supply chain attack and supply chain attacks overall on this episode of the Risk & Repeat podcast.

Subscribe to Risk & Repeat on Apple Podcasts.

Alexander Culafi is a writer, journalist and podcaster based in Boston.