3CX hack caused by trading software supply chain attack

An investigation into last month’s 3CX supply chain attack discovered that it was caused by another supply chain compromise where suspected North Korean attackers breached the site of stock trading automation company Trading Technologies to push trojanized software builds.

“We suspect there are a number of organizations that don’t yet know they are compromised,” Mandiant Consulting CTO Charles Carmakal told BleepingComputer.

“We’re hopeful that once we get this information out, it’ll help accelerate the process for companies to determine that they’re compromised and contain their incidents.”

The malicious installer for Trading Technologies’ X_TRADER software, downloaded and installed on an employee’s personal computer, deployed the multi-stage modular backdoor VEILEDSIGNAL designed to execute shellcode, inject a communication module into Chrome, Firefox, or Edge processes, and terminate itself.

According to Mandiant, the cybersecurity firm that helped 3CX investigate the incident, the threat group (tracked as UNC4736) behind the attack stole corporate credentials from the employee’s device and used them to move laterally through 3CX’s network, eventually breaching both the Windows and macOS build environments.

“On the Windows build environment the attacker deployed the TAXHAUL launcher and COLDCAT downloader that persisted by performing DLL hijacking for the IKEEXT service and ran with LocalSystem privileges,” Mandiant said.

“The macOS build server was compromised with POOLRAT backdoor using LaunchDaemons as a persistence mechanism.”

The malware achieved persistence through DLL side-loading via legitimate Microsoft Windows binaries, which made it harder to detect.

It also automatically loaded during start-up, granting attackers remote access to all compromised devices over the internet.

UNC4736 double supply chain attack (Mandiant)

Links to Operation AppleJeus

Mandiant says UNC4736 is related to the financially motivated North Korean Lazarus Group behind Operation AppleJeus [1, 2, 3], which was also linked by Google’s Threat Analysis Group (TAG) to the compromise of the www.tradingtechnologies[.] com website in a report from March 2022.

Based on infrastructure overlap, the cybersecurity firm also linked UNC4736 with two clusters of APT43 suspected malicious activity, tracked as UNC3782 and UNC4469.

“We determined UNC4736 is linked to the same North Korean operators based on the Trojanized X_TRADER app, distributed via the same compromised site mentioned in the TAG blog,” Fred Plan, Mandiant Principal Analyst for Google Cloud, told BleepingComputer.

“This, combined with similarities in TTPs, and overlap on other infrastructure, gives us moderate confidence that these operators are tied together.”

The 3CX supply-chain attack

On March 29, 3CX acknowledged that its Electron-based desktop client, 3CXDesktopApp, had been compromised to distribute malware, one day after news of a supply chain attack surfaced

It took 3CX more than a week to react to customer reports that its software had been identified as malicious by several cybersecurity companies, including CrowdStrike, ESET, Palo Alto Networks, SentinelOne, and SonicWall.

Nick Galea, the company’s CEO, also said after the attack’s disclosure that a ffmpeg binary used by the 3CX desktop client may have been the initial intrusion vector. However, FFmpeg denied Galea’s allegations, saying that it only provides source code that has not been compromised.

3CX advised customers to uninstall its Electron desktop client from all Windows and macOS devices (a mass-uninstall script can be found here) and immediately switch to the progressive web application (PWA) Web Client App provides similar features.

In response to 3CX’s disclosure, a team of security researchers created a web-based tool to assist the company’s customers in determining whether their IP address was potentially impacted by the March 2023 supply chain attack.

According to the company’s official website, the 3CX Phone System has over 12 million daily users and is utilized by more than 600,000 businesses globally, including high-profile organizations and companies like American Express, Coca-Cola, McDonald’s, Air France, IKEA, the UK’s National Health Service, and multiple automakers.

“The identified software supply chain compromise is the first we are aware of which has led to an additional software supply chain compromise,” Mandiant said.

“It shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions as demonstrated in this investigation.”

Update: Added link to 3CX incident update.

Comments

tmontney – 2 days ago
“The malicious installer for Trading Technologies’ X_TRADER software, downloaded and installed on an employee’s personal computer…”

I can’t find anything in the Mandiant report that states it was from the employee’s personal machine. I take the above to indicate 3CX allows employee’s to access work resources from personally-owned (unaffiliated) machines.

Regardless, this still underlines the importance of not mixing work and play. More specifically, that environments should enforce AppLocker/WDAC (or similar).
serghei – 2 days ago
That info is from an incident update published by 3CX earlier today. Added a link to their blog post.
johnlsenchak – 2 days ago
North Korea has about 1024 IP numbers with limited technology and fiber bandwidth from a China network I just don’t see how such a backwards country like North Korea could do something like this.
LIstrong – 12 hours ago
3CX is in Cyprus and Russia. Another site says LinkedIn is involved. Is LinkedIn Connector – OAuth the vector? The U.S. Gov and other countries ban it so why does it default to enabled in O365 (Word/Options)? They’re using Connector to Hoover data to feed AI for their security app, but it doesn’t work. Don’t tell the US Gov or Wall St who is spending fervently on AI BS. Then again the DoD finally put a stop to an ongoing software project that they’ve already spent $10B on and it doesn’t work. So it’s no wonder they aren’t protecting us from this. But the economy cannot sustain these constant attacks.

Is the grid about to get attacked because our Gov and Big tech have no self control? Mandiant is owned by Google.

When non-technical people make technical decisions chaos ensues.
Krisjohn – 2 days ago
I think we need to get “supply chain” out of the discussion. A random software download included malware that was used to steal credentials, access a development environment and embed more malware in a company’s software.

Initially calling it a supply chain attack was somewhat disingenuous at best and deliberately misleading at worst. A supply chain attack was literally the best case scenario at the time and it’s now doubtful that describing it that way was justified. It was a PR stunt, that mostly worked. My boss was like “whew, we can just wait until they’ve recompiled their app from different dependencies and it’ll be fine, since their environment wasn’t compromised”. Except their environment WAS compromised, so now what?
LIstrong – 12 hours ago
Not a PR stunt. It’s foreshadowing.