3CX: a “mise en abyme” supply chain attack?

Botconf 2024
Wednesday
2024-04-24 | 11:00 – 11:40

Victorien Fragne 🗣 | Godefroy Galas 🗣

This talk will look back on the 3CX supply chain attack campaign which occurred in March and early April 2023 and consisted in the use of the VoIP 3CX software to achieve one of the biggest supply chain attack since SolarWinds.
Attributed in open source to the “North Korea-Nexus” intrusion set LABYRINTH CHOLLIMA (a cluster of the well-known Lazarus group), this attack campaign had the potential to cause significant damage since the 3CX software is used by around 600,000 corporate customers (including the NHS, PwC and IKEA) and counts roughly 12 millions users per day.
After a detailed description of the underlying infection chain, the presentation will focus on explaining the code and infrastructure links between this campaign and the intrusion set LABYRINTH CHOLLIMA, and on summarising the actions taken by the Agency to contain it.


Scroll to Top