It’s April, designated National Supply Chain Integrity month by CISA, NCSC, ONCD and Department of Defense, to promote resources, tools, and information to help organizations and agencies secure their supply chains and build resilience. But what role does blockchain play in supply chain and how easy is it to implement? Blockchain technology has numerous potential applications in supply chain due to its ability to provide a secure, transparent, and tamper-proof ledger of transactions.

This week kicks off the 6th annual National Supply Chain Integrity Month, an initiative started by CISA and other government agencies to highlight the importance of securing our nation’s most critical systems. This year’s theme, “Supply Chain Risk Management (SCRM) – The Recipe for Resilience,” is meant to encourage all stakeholders to apply a comprehensive approach in their efforts to strengthen cyber defenses.

On March 29, researchers from two security companies identified an active campaign originating from a modified version of a legitimate, signed application: 3CXDesktopApp, a popular voice and video conferencing software. 3CXDesktopApp is developed by 3CX, a business communications software company. According to its website, 3CX has 600,000 client organizations and 12 million daily users.

SolarWinds has become almost a household name and for all the wrong reasons: beginning in 2019, the system management company was the target of one of the largest software supply chain attacks in history. Software supply chain attacks are especially insidious because they target organizations by going after their third-party vendors or suppliers of software, hardware, or services at any stage of the development lifecycle. The goal is to gain access, conduct espionage, and enable sabotage.

Another supply chain attack requires an urgent response from security teams.

Threat groups intending to cause widespread damage often opt to use a supply chain attack, as seen in the massive supply chain compromise that struck VOIP software provider 3CX on March 29. Trustwave SpiderLabs has issued a blog detailing the attack and upcoming steps to mitigate the problem. Striking an organization's supply chain simplifies the attack process by eliminating the need to strike multiple targets by instead focusing on breaching one organization that is key to many others.

According to reporting by several cybersecurity publications the 3CX Desktop Application has been exploited in a supply chain attack. The 3CX client is a popular VOIP and messaging application used by over 600,000 companies. From the article on Bleeping computer This supply chain attack, dubbed ‘SmoothOperator’ by SentinelOne, starts when the MSI installer is downloaded from 3CX’s website or an update is pushed to an already installed desktop application.

Supply chain attacks are one of the top concerns for any organization as they exploit (no pun intended) the inherited trust between organizations. Recent examples of similar attacks include SolarWinds and Kaseya. On March 29th, a new supply chain attack was identified targeting 3CX, a VoIP IPXS developer, with North Korean nation-state actors as the likely perpetrators.

On March 29, a massive supply chain compromise in 3CX software resulted in malware being installed globally across multiple industries. It is similar to the other high-profile supply chain attacks (like SolarWinds and Kaseya) in that rather than targeting a single organization, the criminals target a popular service or software provided to many large organizations. With one single compromise of the supplier, dozens and potentially hundreds of organizations may fall in turn.