Type
Incident
Actors
SmoothOperator
Pub. date
March 29, 2023
Initial access
Unknown
Impact
Supply chain attack
References
https://zetter.substack.com/p/updates-and-timeline-for-3cx-andhttps://zetter.substack.com/p/software-maker-3cx-was-compromisedhttps://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/https://www.wired.com/story/3cx-supply-chain-attack-north-korea-cryptocurrency-targets/https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/https://www.3cx.com/blog/news/security-incident-updates/https://www.bleepingcomputer.com/news/security/cryptocurrency-companies-backdoored-in-3cx-supply-chain-attack/
Status
Featured
Last edited
Jun 2, 2024 11:58 AM
In March 2023, a North Korean threat actor (dubbed “SmoothOperator”) gained access to 3CX (VoIP vendor) and inserted a backdoor into their desktop product, which was used for targeting some of their customers - primarily crypto companies. Researchers later discovered 3CX themselves were infected via a supply chain attack on another company called Trading Technologies that occurred in November 2021.
Takeaways
- For end-users – prefer web apps to desktop apps (wherever feasible)
- For vendors – enforce app allowlisting on endpoints (wherever feasible)
