The compromise that led to the supply chain attack leveraging the 3CX desktop app was actually another supply chain compromise, according to cybersecurity forensics firm Mandiant.
The Google-owned company published a blog detailing the supply chain compromise that affected the 3CX desktop app, which was allegedly perpetrated by a North Korean entity. However, the 3CX compromise was made possible via malicious software that was downloaded from Trading Technologies, a provider of futures trading software.
According to the company, the culprit was a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER, a software package from Trading Technologies.
The download of that software led to the deployment of a malicious modular backdoor that Mandiant calls VEILEDSIGNAL. The X_TRADER platform was discontinued in 2020, but it was still available for download from the Trading Technologies website in 2022, Mandiant says.
In a blog, 3CX acknowledged that an employee downloaded the malicious Trading Technologies package to their personal computer. With the VEILEDSIGNAL backdoor installed, the threat actor was able to maintain persistence on the employee’s personal machine.
From there, the employee’s corporate credentials were stolen and used to access the corporate VPN just two days after the initial compromise of the employee’s personal computer.
According to Mandiant and 3CX, the threat actor used the Fast Reverse Proxy tool to move laterally within the 3CX environment, eventually compromising both the Windows and macOS build environments using additional malware deployments.
In response to the attacks, 3CX developed a seven-step security action plan that includes:
- Hardening multiple layers of network security
- Revamping build security
- Product security reviews with Mandiant
- Enhancing product security features
- Ongoing penetration testing
- Refining crisis management and alert handling plans
- Establishing a new department for network operations and security
The compromise of 3CX was first disclosed in late March, with malicious activity involving the company’s desktop app including communicating with hacker-controlled infrastructure, deployment of second-stage payloads and some hands-on-keyboard activities.
Researchers say those payloads were used to download a third-stage information stealer that allowed attackers to collect information from popular web browsers such as Google Chrome, Microsoft Edge, brace and Mozilla Firefox.
According to Mandiant, this type of “cascading software supply chain compromise” such as this can be potentially devastating and reach a large number of victims.
“The identified software supply chain compromise is the first we are aware of which has led to a cascading software supply chain compromise,” the firm says. “It shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions as demonstrated in this investigation.”
