TIPS #2: Victim vs. Vector – How should CXOs respond to emergent events like the 3CX hack?

04.17.23 | Shane Shook | Blog Post

Welcome to the second edition of #ForgepointTIPS (Threat Intelligence Portfolio Spotlight), where we examine the latest cybersecurity trends and threats and provide actionable insights for industry decision-makers. Today we explore #3CXwhat we know (and don’t), what history can teach us about assumptions, and how CXOs should respond to supply chain attacks. Helpful reading? Subscribe and tell a friend…

Issue: 3CX hack is a significant software supply chain breach

The 3CX hack is the latest example of how our understanding of supply chain attacks will evolve – as we learn the way victims are impacted and by which vectors. Let’s take a look at the 3CX hack against the lens of past experiences.

On March 30th, VoIP provider 3CX, which serves over 600,000 companies globally and has over 12 million daily users, was hacked via a significant breach of the software supply chain. Attackers delivered malware through legitimate software updates that 3CX pushed to its customers.

Current information suggests the attacker may be North Korean group Labyrinth Chollima (associated with “Lazarus Group”). The group has previously perpetrated broad initial access and opportunistic activities (DDOS, cryptomining and similar) – followed by actions against select targets to achieve objectives of espionage or business damage/interruption (via wipers, ransomware, or media exposure of sensitive information).

Impact: The blurry lines of known and unknown in supply chain (software and services) attacks 

According to public information, more than 70% of 3CX customers are IT services and audit/compliance providers – pointing to potential targeting of specific industries. The actual targets – be it service providers or their clients – remain unknown, as does the intended impact. Previous supply and service chain attacks have shown that what we initially believe about an attack is often different from what we learn over time.


The Solarwinds attack perpetrated by APT29 exploited Solarwinds software used by Managed IT Services Providers (initial victim) to gain select access to target victims. The attackers’ vector involved inserting malicious code into the Orion IT Monitoring and Management Software. Although it was estimated that as many as 18,000 customers may have downloaded the malicious software update, only 100 companies and a dozen US Federal Agencies were target victims subsequently exploited for objective activities. APT29 is believed to be a Russian state-sponsored group.

Solarwinds taught us that a vector can create numerous initial victims in a supply chain attack, but the target victims and ultimate objectives of the attack aren’t known initially.

Cloud Hopper

The Cloud Hopper attack perpetrated by APT10 exploited Cloud-hosted web, email, and active directory access managed by Managed Internet Services Providers (initial victims) in order to gain access to target victims.

The attackers’ vector involved compromising accounts and escalating privileges in cloud-hosted services to gain access to target victims – diplomatic, political, and commercial organizations (in defense and aerospace industries) – who then had sensitive information stolen. APT10 is believed to be a Chinese state-sponsored group.

We learned that attack vectors may exploit the service supply chain to access a subset of target victims – who may be chosen based on the economic and political interests of a nation-state, eager to steal valuable information for the purposes of espionage.

Action: act on what you know, monitor what you don’t. 

1. Stay up to date with information as it evolves. 

Read the latest intel while being mindful that information about intent, impact, and target victims will change over time.

Follow CISA’s high-level guidance on the 3CX hack here. You can also learn more in ReversingLabs’ snapshot of the known and unknown facts. Zoom out with Huntress’ blog post on the broader meaning of the 3CX hack before diving into the details in their more technical post here.

2. Focus on who is impacted and why they are targeted, and relate it to your business.

Focusing only on tools and telemetry (the technical details of how specific utilities are exploited) misses the risk comprehension you need to communicate with company leadership and take effective action for your organization.

Investigate why your organization might be targeted based on intelligence regarding known victims and the impacts they are facing. Assess probability and impact according to the functions of your business involving the affected technology and take defensive measures accordingly.

3. Implement defenses according to the functional needs of your organization.

Utilize MFA + MDR + DLP to challenge access and interrupt malicious activities. More broadly, assess your understanding of the types of incidents your organization faces and its overall reliance on technical infrastructure, tools and service providers. Adapt your incident response plans and policies accordingly.

Note: 3CX initially recommended uninstalling the 3CX desktop client, but released a new build of their software on April 6th, 2023; however, they recommend using their native web app.

Thanks for reading our Forgepoint TIPS! Please subscribe and share with a peer. Have feedback or a cyber threat or trend you’d like us to address? Get in touch.


***This blog was originally featured on our Forgepoint TIPS LinkedIn newsletter. Read the original post on LinkedIn here.***

You may also enjoy: