Last month, VoIP provider 3CX experienced a data breach after an employee downloaded a trojanized version of Trading Technologies’ X_Trader software. After breaking into the vendor’s environment, North Korean threat actors then used an exploit to ship malicious versions of the 3CX desktop app to downstream customers as part of a software supply chain attack.  

The incident resulted in the compromise of two critical infrastructure organizations and two financial trading entities. It’s one of the first known instances where a threat actor chained together two supply chain attacks in one.  

More importantly, this high-profile breach highlights the havoc that third-party compromise can wreak on an organization, and shows that organizations need to focus on mitigating upstream risk if they want to avoid similar incidents in future.  

After all, when considering that supply chain attacks increased by 633% over the past year, with 88,000 known instances, security leaders can’t afford to assume that these attacks are rare or infrequent. 

Understanding the risk of software supply chain attacks  

Ever since a Russian cybergang orchestrated the supply chain breach in December 2020 to gain access to SolarWinds internal systems and shipped malicious updates to customers, as well as opening up access to as many 18,000 SolarWinds customers, these styles of attacks have remained a persistent threat to organizations. 

One of the main reasons for this is that they’re cost effective. For financially and espionage-motivated cybercriminals, supply chain attacks are a go-to choice because an organization can hack a single software vendor and gain access to multiple downstream organizations to maximize their reach. 

At the same time, the ability of an intruder to situate themselves in-between the vendor and customer’s relationship, puts them in a position to move laterally between multiple organizations at a time to gain access to as much data as possible. 

“Supply chain attacks are very difficult to pull off, but highly cost effective if they succeed, since they open a very wide attack surface, usually known and available exclusively to the attacker. This creates a ‘hunting ground,’ or even a sort of ‘buffet’ in which the threat actor has their choice of target organizations and can operate with fewer constraints,” said Amitai Cohen, attack vector–intel lead at Wiz, in an email to VentureBeat. 

“For end-user software, the threat actor can gain initial access to every workstation or server in the target organization’s network on which the app is installed,” Cohen said. 

What makes the 3CX breach stand out 

According to Mandiant consulting, the team that discovered the initial compromise vector of the breach, the incident was notable not just because of the linked software supply chain attacks, but because it highlighted that the North Korean threat actor, referred to as UNC4736, has developed the ability to launch these attacks. 

“These types of breaches have been happening for a long time. This one was notable because it was the first time we had seen these things kind of daisy-chained together, where one sort of led to another,” said Ben Read, Mandiant director of cyber-espionage analysis, in an interview with VentureBeat. He added the attack also alerted security experts that “North Korea has the technical ability to carry these things off.”

Another concerning element of this incident is the fact that the breach remained undiscovered for a significant period of time, leading to concerns that there could be other unknown organizations affected.  

“And the other part is that the Trading Technologies [breach] occurred back in the spring of 2022 and as far as we’re aware, the specifics of it hadn’t come to light before now. So there’s a possibility that this has happened in other places and no one has found it yet,” Read said. 

More to come from UNC4736

At this stage, it’s too early to say whether the success of this breach will inspire other threat actors to launch similar attacks. However, Symantec principal intelligence analyst Dick O’Brien, who has been closely monitoring the incident, believes that the UNC4736 group behind the attack are likely to conduct similar attacks in future. 

“We’re seeing a North Korean sponsored actor getting its foothold into multiple organizations in multiple geographies. And while the motivation right now seems to be probably financial; with North Korea, you can never really rule out anything else occurring,” O’Brien said. 

“I wouldn’t be surprised at all if we see another supply chain attack from this group,” O’Brien said. “I think that the reach this group has gotten through the supply chain attacks is a cause for concern.” 

As a result, organizations need to be hardening their internal network controls to prevent such actors from moving laterally from system to system, as part of what Read calls an “assume compromise” approach. 

In practice, this means incorporating network segmentation, which is dividing a network into smaller parts and implementing zero trust access controls to limit privileged access to resources. That way, if an attacker does gain access to the environment, their mobility is limited, making the incident easier to contain. 

How organizations can mitigate third-party risk

While internal controls like network segmentation and zero-trust access controls go some way to mitigating the risk of lateral movement once an attacker has entered an organization’s environment, they do little to address the risks of an upstream software vendor being breached in the first place. 

Given that organizations can’t control the internal security practices and processes of third-party vendors, Cohen argues customers need to “choose vendors with a proven security track record.” 

Gartner suggests that organizations can test the security standing of a vendor by conducting due diligence in the form of risk assessments, not just prior to signing a contract with a third party, but throughout the entire commercial relationship. 

As part of the risk assessment, an organization should request internal audits and risk reports, issue questionnaires, and analyze broader industry data (e.g., does the organization belong to an industry at higher risk of cyberattacks) to quantify the level of risk presented by a commercial partnership. 

It’s also useful to review what regulations the organization is compliant with and verifying proof of any certifications issued by third-party standard assessment organizations, such as the ISO, to better understand the level of controls implemented within the environment.  

While due diligence alone won’t mitigate third-party risk completely, it can help enterprises screen out vendors with less-defined or effective security procedures.