Security News

Pieces of the 3CX supply chain compromise puzzle are starting to fall into place, though we're still far away from seeing the complete picture. 3CX engaged Mandiant to investigate how their own compromise happened, and they revealed last Thursday that one of 3CX employees downloaded the booby-trapped X TRADER installer, leading to the ultimate deployment of a modular backdoor on their system.

In Brief We thought it was probably the case when the news came out, but now it's been confirmed: The X Trader supply chain attack behind the 3CX compromise last month wasn't confined to the telco developer. For those unfamiliar with the incident, 3CX reported a supply chain attack that saw its 3CX DesktopApp compromised with a trojanized version of the X Trader futures trading app published by Trading Technologies.

The X Trader software supply chain attack that led to last month's 3CX breach has also impacted at least several critical infrastructure organizations in the United States and Europe, according to Symantec's Threat Hunter Team. While the Trading Technologies supply chain compromise is the result of a financially motivated campaign, the breach of multiple critical infrastructure organizations is worrisome, seeing that North Korean-backed hacking groups are also known for cyber espionage.

The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors. Google-owned Mandiant, which is tracking the attack event under the moniker UNC4736, said the incident marks the first time it has seen a "Software supply chain attack lead to another software supply chain attack."

The supply-chain attack against 3CX last month was caused by an earlier supply-chain compromise of a different software firm - Trading Technologies - according to Mandiant, whose consulting crew was hired by 3CX to help the VoIP biz investigate the intrusion. "This is the first time that we've ever found concrete evidence of a software supply chain attack leading to another software supply chain attack," Mandiant Consulting CTO Charles Carmakal told reporters on Wednesday.

An investigation into last month's 3CX supply chain attack discovered that it was caused by another supply chain compromise where suspected North Korean attackers breached the site of stock trading automation company Trading Technologies to push trojanized software builds. According to Mandiant, the cybersecurity firm that helped 3CX investigate the incident, the threat group used harvested credentials to move laterally through 3CX's network, eventually breaching both the Windows and macOS build environments.

Enterprise communications service provider 3CX confirmed that the supply chain attack targeting its desktop application for Windows and macOS was the handiwork of a threat actor with North Korean nexus. It's worth noting that cybersecurity firm CrowdStrike has attributed the attack to a Lazarus sub-group dubbed Labyrinth Chollima, citing tactical overlaps.

VoIP communications company 3CX confirmed today that a North Korean hacking group was behind last month's supply chain attack. "Based on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far, they attribute the activity to a cluster named UNC4736. Mandiant assesses with high confidence that UNC4736 has a North Korean nexus," 3CX CISO Pierre Jourdan said today.

According to Etay Maor, Senior Director Security Strategy at Cato Networks, "It's interesting to note critical infrastructure doesn't necessarily have to be power plants or electricity. A nation's monetary system or even a global monetary system can be and should be considered a critical infrastructure as well." Not to mention the infamous Colonial Pipeline attack, which has become the poster child of critical infrastructure attacks.

The adversary behind the supply chain attack targeting 3CX deployed a second-stage implant specifically singling out a small number of cryptocurrency companies. The backdoor's links to North Korea stem from the fact that it "Co-existed on victim machines with AppleJeus, a backdoor attributed to the Korean-speaking threat actor Lazarus," detailing an attack on an unnamed crypto firm located in Southeast Asia in 2020.