The security firm Mandiant released a report on Wednesday that traced the breach at 3CX back to yet another supply chain-compromised application, X-Trader, a derivatives trading software application manufactured by the firm Trading Technologies.
The report by Mandiant Consulting, which 3CX hired to help it investigate the supply chain hack, said that its researchers identified an installer with the filename X_TRADER_r7.17.90p608.exe as the application that led to the deployment of the malicious modular backdoor on the personal computer of a 3CX employee. Mandiant identified the backdoor as an application called “VEILEDSIGNAL.”
That backdoor gave the attackers, which Mandiant identified as the North Korean advanced persistent threat (APT) group UNC4736, access to the employee’s 3CX administrator credentials, which they used to access the company’s network environment via a virtual private network (VPN) connection and move laterally within the company’s environment.
Here's a full run-down of what we know about the 3CX attack to date — a first in what Mandiant called a "cascading software supply chain compromise."
[ See special report: The Evolution of App Sec | Get eBook: Why Traditional App Sec Testing Fails on Supply Chain Security ]
Attack traced back to employee laptop compromise
3CX said in a blog post that the earliest evidence of the compromise uncovered within the 3CX corporate environment occurred through that VPN using the employee's corporate credentials two days after the employee's personal computer was compromised using the X_TRADER application.
The UNC4736 group compromised both 3CX’s Windows and macOS build environments. The company disclosed that the group deployed the TAXHAUL launcher and COLDCAT downloader in the Windows build environment, which persisted by performing DLL hijacking for the IKEEXT service and ran with LocalSystem privileges. 3CX said the macOS build server was compromised using a POOLRAT backdoor using LaunchDaemons as a persistence mechanism.
3CX and X_Trader: Lots of similarities
In its report, Mandiant noted many similarities between the compromised X_TRADER and 3CXDesktopApp applications, suggesting a link between the attacks. Both compromised applications contain, extract, and run a payload similarly, although the final payload is different.
Mandiant found other similarities, including the use of SIGFLIP and the same RC4 key 3jB(2bsG#@c7 in the SIGFLIP tool configuration to encrypt and decrypt the payload. (We explained the function of that key in this blog analysis of the 3CX attack.)
Both compromises also relied on DAVESHELL, using the hardcoded cookie variable __tutma in the payloads and encrypting data with AES-256 GCM cipher, Mandiant wrote.
Supply chain attacks: No supplier necessary
Mandiant’s account of the event raises some interesting questions about the 3CX compromise, many of which lack easy answers. As the cybersecurity reporter Kim Zetter writes on her blog, the compromise of Trading Technologies was well known before the 3CX compromise took place.
Google disclosed in March 2022, that the company’s website had been compromised by North Korean state actors who planted an exploit on the site that infected those who visited it. That was followed months later by a supply chain compromise linked to versions of the company’s X_Trader program, which had been discontinued in 2020, but was still available for download from the company’s website.
For its part, Trading Technologies disputed the characterization of the hack as a “supply chain compromise,” arguing that it was never a software supplier to 3CX and that there was no reason that a 3CX employee would have to download the X_TRADER application in the first place.
The company also had few answers for why a long-discontinued application could be rebuilt, signed, and distributed from the Trading Technologies website without the company noticing that something was amiss. A company representative also threw cold water on the possibility that it would help to get to the bottom of the compromise.
The company had “literally turned off everything that was running it” and could not easily go back and reconstruct what happened. “It’s an extreme challenge to us,” the Trading Technologies spokesperson said.
The first double supply chain attack is born
Mandiant said the incident was the first it is aware of in which there was a “cascading software supply chain compromise” in which the hack of one software provider sets up the hack of a different software vendor:
"The incident shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions as demonstrated in this investigation."
Among questions that still need to be asked are whether other companies were victims of this attack in addition to 3CX. The X_TRADER application was a “niche” tool used in the derivatives trading market and had reached its end of life. In theory, few Trading Technologies customers should have been using it. But it is unclear whether the UNC4736 hackers were able to compromise other Trading Technologies platforms, or whether the group has found success compromising other application providers.
Also unanswered is why a 3CX employee downloaded and installed a compromised, discontinued derivatives trading application that did not have a retail trading component. One possibility is that the administrator’s system was compromised by other means and the download of the X_TRADER application was performed by a remote attacker rather than the device owner.
3CX has not commented on the circumstances surrounding the download of the X_TRADER application but said it is “wind(ing) down” its incident investigation and has strengthened its policies, practices, and technology to “further protect against future attacks.” The company also announced a “7 Step Security Action Plan” that includes increased use of static and dynamic code analysis and the addition of “code signing and monitoring solutions” that can help to “ensure that our software is not modified.”
A troubling call to action on supply chain security
The latest twists in the tale of the 3CX attack are likely to heighten interest in software supply chain security — and increase scrutiny on software development orgainzations. As ReversingLabs reverse engineer Karlo Zanki said in our initial analysis of the 3CX incident: The company missed clear signs of tampering with its 3CXDesktopApp.
Mandiant’s revelations raise troubling questions about Trading Technologies management of its X_TRADER application which, even though discontinued, was still available from the company’s website and appears to have been modified to add malicious code without the company being aware of it.