A Double Supply Chain Attack and The Importance of TPRM

Third-party risk management (TPRM) is a critical aspect of cybersecurity due to the increasing interdependencies and complexities in today’s global, interconnected networks and systems. TPRM’s importance is most acutely evident when considering the risks associated with supply chain attacks on companies, which continue to grow in number and damage.

The most glaring recent example of the complexity of supply chain risks and the importance of TPRM came in the form of a double supply chain attack in 2023. This article takes a look at what a double supply chain attack is and offers some pointers to strengthen TPRM for your company.

What is a Double Supply Chain Attack?

A double supply chain attack is essentially where one supply chain compromise leads to another supply chain compromise. This cascading effect makes detecting the breach’s origin even trickier, and it can leverage the intricate supply chain networks to explode in reach and impact. The ability to stack a supply chain attack into multiple layers demonstrates the creativity and innovation of today’s most advanced threat groups.

A brief reminder that a supply chain attack happens when someone infiltrates your system or network through an outside partner or provider with access to your systems and data. The most commonly seen form of this cyberattack is a software supply chain attack that simultaneously distributes malware to many organizations by compromising a third-party application vendor’s code or other software components. All companies that rely on the compromised third-party code can potentially become impacted when downloading an update, for example.

Supply chain attacks tend to be high-risk cybersecurity incidents for three reasons:

1. Broad Reach: A single attack can affect multiple companies, all using the compromised software/hardware or relying on the same infrastructure. This broad reach often means a widespread compromise of data and systems.
2. Difficult to Detect: Modern supply chains are complex and predicated on trusting the other parties that link together in the chain. Companies generally set security systems to trust updates and software from approved vendors, which makes these attacks tricky to identify until after the fact.
3. High Impact: Supply chain attacks often come with severe consequences, such as theft of large volumes of sensitive data, disruption critical systems, and damaging the trusted relationship between businesses and their vendors/suppliers.

A double supply chain ticks all three boxes, even more comprehensively than a normal supply chain attack. Chaining intrusions arguably broadens the reach of attacks. The multiple layers of the attack make it harder to detect. The potential impact may be amplified by not being able to uncover the source of the problem.

A Brief Overview of the 3CX Incident

While nobody ever said a double supply chain attack wasn’t possible, it remained in the realm of the imagination until a highly publicized breach of VoIP provider 3CX. According to 3CX’s website, over 600,000 customers use 3CX’s software to help their businesses connect and collaborate. In those numbers is the seed for a damaging supply chain attack.

But what made the March 2023 attack so interesting was not merely the widespread use of 3CX at companies in various sectors. The uniqueness came in the form of a double software supply chain attack carried out by a North Korean nation-state threat group.

The incident hit many companies that rely on 3CX’s software, including several critical infrastructure operators. It all started when hackers obtained a backdoor into a completely separate software application named X_TRADER. This financial software package, developed by Trading Technologies, became compromised, and a 3CX employee installed the malicious version of the third-party software on their system.

It remains unclear why a 3CX employee installed a trading app on their device; perhaps it was a classic case of shadow IT use or merely personal interest in trading. The 3CX employee in question had their credentials stolen in this first part of the double supply chain attack.

But the most damaging part came when hackers figured out a way to hit the many companies that rely on 3CX’s software by chaining this intrusion to compromise 3CX’s development environment. Having obtained credential-based access to the 3CX network, the advanced hackers moved laterally and eventually managed to compromise the Windows and macOS build environments for 3CX software. They then pushed out a malicious version of the 3CX desktop app to any companies and users that installed it.

Improving TPRM

The 3CX attack highlights the need for businesses to refine and strengthen their approaches to managing third-party risks. It might seem like this incident was a one-off fluke, but that’s a risky attitude to take. Here are some pointers for improving TPRM:

• Risk Assessment: Conduct thorough risk assessments of all third parties to understand their potential risks to your systems and data. This should include assessing their security controls, processes and history of security incidents.
• Regular Audits: Perform regular audits of third parties to ensure they maintain adequate security standards and comply with your organization’s security policies.
• Shadow IT Discovery: Attempt to use surveys and tools to uncover unsanctioned apps your employees use. These apps pose potential security hazards because you haven’t vetted them.
• Clear Contracts: Ensure contracts with third parties clearly define security expectations, roles and responsibilities. Include provisions for audit rights, incident response and breach notification.
• Security Standards: Require third parties to comply with recognized security standards and best practices, such as ISO 27001 or NIST cybersecurity framework.
• Cybersecurity Insurance: Consider requiring third parties to have cyber insurance that can cover your losses in case of a security incident.
• Streamline Security Operations: Incidents like 3CX highlight the need for advanced threat intelligence, continuous monitoring and a robust response plan. Look to managed services if you lack the resources or expertise for 24/7 detection and response.