AS2 - 3CX Desktop

3CX is a VOIP software company with more than 600000 customers. In April 2023, the company was subject to an attack that infected their 3CX desktop software with malware. It is suspected to be a nation state attack carried out by North Korea. The attack was faciltiated by attacking the supply chain of a trading software company, Trading Technoloigies.



T0191 - Malicious Code In Artifacts

The attackers trojanized the softare X_TRADER. The software was digitally signed by "Trading Technologies" which strongly suggests that the firm's supply chain was breached.
T0191 page

Initial Access

T0153 - Compromised Developer Workstation

A 3CX employee desktop is infected with the trojanized X_TRADER software. There is evidence that the vendor site was compromised and infected with an exploit kit that distributed the trojanized software
T0153 page

T0113 - Compromised User Account

Attackers harvested user credentials from infected machines
T0113 page

T0137 - Weak Authentication Methods

Attackers connected to the company VPN using credentials, as a second factor authentication was not enabled.
T0137 page

Defense Evasion

T0176 - Misconfigured Security Measures

The EDR (if it existed) didn't detect malware on the desktop. The build system was not hardened (network/application). Code scanning tools didn't exist/were not configured correctly/nobody looked into the results.
T0176 page

T0146 - Misconfigured Audit Logs Settings

Access and changes to the build system and content should have been logged and alerted upon.
T0146 page

Credential Access

T0184 - Harvesting Sensitive Information From Files

3CX used to save their application password unencrypted/unhashed in the file system. It is not clear if that was used as part of this attack, but the fact is that they released a new client that resolves this issue.
T0184 page

Lateral Movement

T0131 - Overprivileged User Account

The compromised user had access to the entire network and the build system.
T0131 page


T0191 - Malicious Code In Artifacts

The attacker infected the 3CX software with a backdoor.
T0191 page


Trading Technologies