<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>3CX on Tarragon</title><link>https://tarrragon.github.io/blog/tags/3cx/</link><description>Recent content in 3CX on Tarragon</description><generator>Hugo -- gohugo.io</generator><language>zh-TW</language><copyright>Tarragon (CC BY 4.0)</copyright><lastBuildDate>Thu, 30 Apr 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://tarrragon.github.io/blog/tags/3cx/index.xml" rel="self" type="application/rss+xml"/><item><title>3CX 2023：供應鏈 Artifact 壓力</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/3cx-2023-supply-chain-artifact-pressure/</link><pubDate>Thu, 30 Apr 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/3cx-2023-supply-chain-artifact-pressure/</guid><description>&lt;p>本案例的責任是提供供應鏈 artifact 壓力素材。3CX 2023 事件顯示，第三方軟體、員工端點、build 系統與客戶下載 artifact 可以形成連鎖供應鏈壓力。&lt;/p>
&lt;h2 id="來源">來源&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>來源&lt;/th>
 &lt;th>可引用範圍&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>&lt;a href="https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise">Mandiant：3CX software supply chain compromise&lt;/a>&lt;/td>
 &lt;td>供應鏈連鎖、initial compromise、trojanized desktop app、UNC4736&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>&lt;a href="https://www.3cx.com/blog/news/mandiant-security-update2/">3CX：Initial intrusion vector found&lt;/a>&lt;/td>
 &lt;td>X_TRADER 初始入侵、VEILEDSIGNAL、IOC 與 vendor update&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>&lt;a href="https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp">CISA：Supply Chain Attack Against 3CXDesktopApp&lt;/a>&lt;/td>
 &lt;td>user guidance、IOC hunting、vendor communications&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="defender-pressure">Defender Pressure&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>壓力&lt;/th>
 &lt;th>服務判讀&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>Artifact trust pressure&lt;/td>
 &lt;td>客戶下載的 legitimate app 需要可驗證 provenance&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Build environment pressure&lt;/td>
 &lt;td>build 系統需要和 endpoint compromise 風險分離&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Customer response pressure&lt;/td>
 &lt;td>供應鏈事件需要快速提供 uninstall、hunt 與 update 路由&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Release gate pressure&lt;/td>
 &lt;td>release process 需要能驗證來源、簽章與 build evidence&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="control-gap">Control Gap&lt;/h2>
&lt;p>控制缺口的核心是 artifact trust 需要跨越端點、CI、簽章與發佈流程。當 initial compromise 來自上游軟體時，單一 release gate 需要補足來源信任、build isolation 與 customer communication。&lt;/p>
&lt;h2 id="detection-route">Detection Route&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>訊號&lt;/th>
 &lt;th>判讀用途&lt;/th>
 &lt;th>下一步&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>artifact hash 與預期不一致&lt;/td>
 &lt;td>判斷 release integrity&lt;/td>
 &lt;td>啟動 release freeze 與 rollback&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>build 來源或簽章證據缺口&lt;/td>
 &lt;td>判斷 provenance gap&lt;/td>
 &lt;td>啟動 &lt;a href="https://tarrragon.github.io/blog/backend/knowledge-cards/artifact-provenance/" data-link-title="Artifact Provenance" data-link-desc="說明交付物的來源、完整性與簽章關聯如何建立信任">artifact provenance&lt;/a> review&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>客戶端 IOC 命中&lt;/td>
 &lt;td>判斷 downstream impact&lt;/td>
 &lt;td>啟動 customer advisory route&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="exercise-hook">Exercise Hook&lt;/h2>
&lt;p>本案例可支撐 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/scenarios/supply-chain-artifact-drill/" data-link-title="Supply Chain Artifact Drill" data-link-desc="以 artifact provenance 偏移設計供應鏈 release gate 與 rollback 演練">Supply chain artifact drill&lt;/a>。演練重點是確認 artifact provenance、release freeze、rollback 與 customer communication 是否能在同一事件中協作。&lt;/p>
&lt;h2 id="write-back-target">Write-back Target&lt;/h2>
&lt;ul>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/supply-chain-integrity-and-artifact-trust/" data-link-title="7.12 供應鏈完整性與 Artifact 信任" data-link-desc="定義 build provenance、artifact 信任與交付鏈風險問題">7.12 供應鏈完整性與 Artifact 信任&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/security-risk-in-release-gate/" data-link-title="7.22 資安風險如何進入 Release Gate" data-link-desc="把資安風險、例外與驗證證據納入 release gate，建立可稽核的放行判準">7.22 資安風險如何進入 Release Gate&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/detection-lifecycle-pattern/" data-link-title="Detection Lifecycle Pattern" data-link-desc="定義偵測規則如何管理來源、邏輯、測試事件、誤報與退場">Detection lifecycle pattern&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/exercise-write-back-pattern/" data-link-title="Exercise Write-back Pattern" data-link-desc="定義 tabletop 與 game day 如何把 finding 回寫成控制更新、runbook 更新與 [tripwire](/backend/knowledge-cards/tripwire/)">Exercise write-back pattern&lt;/a>&lt;/li>
&lt;/ul></description><content:encoded><![CDATA[<p>本案例的責任是提供供應鏈 artifact 壓力素材。3CX 2023 事件顯示，第三方軟體、員工端點、build 系統與客戶下載 artifact 可以形成連鎖供應鏈壓力。</p>
<h2 id="來源">來源</h2>
<table>
  <thead>
      <tr>
          <th>來源</th>
          <th>可引用範圍</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td><a href="https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise">Mandiant：3CX software supply chain compromise</a></td>
          <td>供應鏈連鎖、initial compromise、trojanized desktop app、UNC4736</td>
      </tr>
      <tr>
          <td><a href="https://www.3cx.com/blog/news/mandiant-security-update2/">3CX：Initial intrusion vector found</a></td>
          <td>X_TRADER 初始入侵、VEILEDSIGNAL、IOC 與 vendor update</td>
      </tr>
      <tr>
          <td><a href="https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp">CISA：Supply Chain Attack Against 3CXDesktopApp</a></td>
          <td>user guidance、IOC hunting、vendor communications</td>
      </tr>
  </tbody>
</table>
<h2 id="defender-pressure">Defender Pressure</h2>
<table>
  <thead>
      <tr>
          <th>壓力</th>
          <th>服務判讀</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>Artifact trust pressure</td>
          <td>客戶下載的 legitimate app 需要可驗證 provenance</td>
      </tr>
      <tr>
          <td>Build environment pressure</td>
          <td>build 系統需要和 endpoint compromise 風險分離</td>
      </tr>
      <tr>
          <td>Customer response pressure</td>
          <td>供應鏈事件需要快速提供 uninstall、hunt 與 update 路由</td>
      </tr>
      <tr>
          <td>Release gate pressure</td>
          <td>release process 需要能驗證來源、簽章與 build evidence</td>
      </tr>
  </tbody>
</table>
<h2 id="control-gap">Control Gap</h2>
<p>控制缺口的核心是 artifact trust 需要跨越端點、CI、簽章與發佈流程。當 initial compromise 來自上游軟體時，單一 release gate 需要補足來源信任、build isolation 與 customer communication。</p>
<h2 id="detection-route">Detection Route</h2>
<table>
  <thead>
      <tr>
          <th>訊號</th>
          <th>判讀用途</th>
          <th>下一步</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>artifact hash 與預期不一致</td>
          <td>判斷 release integrity</td>
          <td>啟動 release freeze 與 rollback</td>
      </tr>
      <tr>
          <td>build 來源或簽章證據缺口</td>
          <td>判斷 provenance gap</td>
          <td>啟動 <a href="/blog/backend/knowledge-cards/artifact-provenance/" data-link-title="Artifact Provenance" data-link-desc="說明交付物的來源、完整性與簽章關聯如何建立信任">artifact provenance</a> review</td>
      </tr>
      <tr>
          <td>客戶端 IOC 命中</td>
          <td>判斷 downstream impact</td>
          <td>啟動 customer advisory route</td>
      </tr>
  </tbody>
</table>
<h2 id="exercise-hook">Exercise Hook</h2>
<p>本案例可支撐 <a href="/blog/backend/07-security-data-protection/blue-team/materials/scenarios/supply-chain-artifact-drill/" data-link-title="Supply Chain Artifact Drill" data-link-desc="以 artifact provenance 偏移設計供應鏈 release gate 與 rollback 演練">Supply chain artifact drill</a>。演練重點是確認 artifact provenance、release freeze、rollback 與 customer communication 是否能在同一事件中協作。</p>
<h2 id="write-back-target">Write-back Target</h2>
<ul>
<li><a href="/blog/backend/07-security-data-protection/supply-chain-integrity-and-artifact-trust/" data-link-title="7.12 供應鏈完整性與 Artifact 信任" data-link-desc="定義 build provenance、artifact 信任與交付鏈風險問題">7.12 供應鏈完整性與 Artifact 信任</a></li>
<li><a href="/blog/backend/07-security-data-protection/security-risk-in-release-gate/" data-link-title="7.22 資安風險如何進入 Release Gate" data-link-desc="把資安風險、例外與驗證證據納入 release gate，建立可稽核的放行判準">7.22 資安風險如何進入 Release Gate</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/detection-lifecycle-pattern/" data-link-title="Detection Lifecycle Pattern" data-link-desc="定義偵測規則如何管理來源、邏輯、測試事件、誤報與退場">Detection lifecycle pattern</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/exercise-write-back-pattern/" data-link-title="Exercise Write-back Pattern" data-link-desc="定義 tabletop 與 game day 如何把 finding 回寫成控制更新、runbook 更新與 [tripwire](/backend/knowledge-cards/tripwire/)">Exercise write-back pattern</a></li>
</ul>
]]></content:encoded></item></channel></rss>