An investigation into last month’s 3CX supply chain attack discovered that it was caused by another supply chain compromise where suspected North Korean attackers breached the site of stock trading automation company Trading Technologies to push trojanized software builds.
“We suspect there are a number of organizations that don’t yet know they are compromised,” Mandiant Consulting CTO Charles Carmakal told BleepingComputer.
“We’re hopeful that once we get this information out, it’ll help accelerate the process for companies to determine that they’re compromised and contain their incidents.”
The malicious installer for Trading Technologies’ X_TRADER software, downloaded and installed on an employee’s personal computer, deployed the multi-stage modular backdoor VEILEDSIGNAL designed to execute shellcode, inject a communication module into Chrome, Firefox, or Edge processes, and terminate itself.
According to Mandiant, the cybersecurity firm that helped 3CX investigate the incident, the threat group (tracked as UNC4736) behind the attack stole corporate credentials from the employee’s device and used them to move laterally through 3CX’s network, eventually breaching both the Windows and macOS build environments.
“On the Windows build environment the attacker deployed the TAXHAUL launcher and COLDCAT downloader that persisted by performing DLL hijacking for the IKEEXT service and ran with LocalSystem privileges,” Mandiant said.
“The macOS build server was compromised with POOLRAT backdoor using LaunchDaemons as a persistence mechanism.”
The malware achieved persistence through DLL side-loading via legitimate Microsoft Windows binaries, which made it harder to detect.
It also automatically loaded during start-up, granting attackers remote access to all compromised devices over the internet.
Links to Operation AppleJeus
Mandiant says UNC4736 is related to the financially motivated North Korean Lazarus Group behind Operation AppleJeus [1, 2, 3], which was also linked by Google’s Threat Analysis Group (TAG) to the compromise of the www.tradingtechnologies[.] com website in a report from March 2022.
Based on infrastructure overlap, the cybersecurity firm also linked UNC4736 with two clusters of APT43 suspected malicious activity, tracked as UNC3782 and UNC4469.
“We determined UNC4736 is linked to the same North Korean operators based on the Trojanized X_TRADER app, distributed via the same compromised site mentioned in the TAG blog,” Fred Plan, Mandiant Principal Analyst for Google Cloud, told BleepingComputer.
“This, combined with similarities in TTPs, and overlap on other infrastructure, gives us moderate confidence that these operators are tied together.”
The 3CX supply-chain attack
On March 29, 3CX acknowledged that its Electron-based desktop client, 3CXDesktopApp, had been compromised to distribute malware, one day after news of a supply chain attack surfaced
It took 3CX more than a week to react to customer reports that its software had been identified as malicious by several cybersecurity companies, including CrowdStrike, ESET, Palo Alto Networks, SentinelOne, and SonicWall.
Nick Galea, the company’s CEO, also said after the attack’s disclosure that a ffmpeg binary used by the 3CX desktop client may have been the initial intrusion vector. However, FFmpeg denied Galea’s allegations, saying that it only provides source code that has not been compromised.
3CX advised customers to uninstall its Electron desktop client from all Windows and macOS devices (a mass-uninstall script can be found here) and immediately switch to the progressive web application (PWA) Web Client App provides similar features.
In response to 3CX’s disclosure, a team of security researchers created a web-based tool to assist the company’s customers in determining whether their IP address was potentially impacted by the March 2023 supply chain attack.
According to the company’s official website, the 3CX Phone System has over 12 million daily users and is utilized by more than 600,000 businesses globally, including high-profile organizations and companies like American Express, Coca-Cola, McDonald’s, Air France, IKEA, the UK’s National Health Service, and multiple automakers.
“The identified software supply chain compromise is the first we are aware of which has led to an additional software supply chain compromise,” Mandiant said.
“It shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions as demonstrated in this investigation.”
Update: Added link to 3CX incident update.
