The security firm Mandiant Consulting released a report Wednesday that traced the breach at 3CX back to yet another supply chain-compromised application: X-Trader, a derivatives trading software application manufactured by the firm Trading Technologies.
The report from Mandiant, which 3CX hired to investigate the hack, said its researchers identified an installer with the filename X_TRADER_r7.17.90p608.exe as the application that led to the deployment of the malicious modular backdoor on the personal computer of a 3CX employee. Researchers identified the backdoor as an application named “VEILEDSIGNAL.”
That backdoor gave the attackers, North Korean advanced persistent threat (APT) group UNC4736, access to the employee’s 3CX administrator credentials, which they then used to access the company’s network environment via a virtual private network (VPN) connection and move laterally within the company’s environment.
Here's a full run-down of what's known about the 3CX attack to date, which Mandiant called the first "cascading software supply chain compromise."
[ See special report: The Evolution of App Sec | Get eBook: Why Traditional App Sec Testing Fails on Supply Chain Security ]
Attack traced back to employee laptop compromise
3CX said in a blog post that the earliest evidence of the compromise uncovered within the 3CX corporate environment occurred through the VPN using an employee's corporate credentials two days after that employee's personal computer was compromised using the X_TRADER application.
The UNC4736 group compromised both 3CX’s Windows and macOS build environments. The group deployed the TAXHAUL launcher and COLDCAT downloader in the Windows build environment, which persisted by performing DLL hijacking for the IKEEXT service, and ran with LocalSystem privileges. 3CX said the attackers compromised the macOS build server by using a POOLRAT backdoor with LaunchDaemons as a persistence mechanism.
3CX and X_Trader: Lots of similarities
Mandiant's report noted many similarities between the compromised X_TRADER and 3CX DesktopApp applications, suggesting a link between the attacks. Both compromised applications contain, extract, and run a payload similarly, although the final payload is different.
The report found other similarities, including the use of SIGFLIP and the same RC4 key 3jB(2bsG#@c7 in the SIGFLIP tool configuration to encrypt and decrypt the payload. (We explained the function of that key in this analysis of the 3CX attack.)
Both compromises also relied on DAVESHELL, using the hardcoded cookie variable __tutma in the payloads, and encrypting data with AES-256 GCM cipher.
Supply chain attacks: No supplier necessary
Mandiant’s account of the event raises questions about the 3CX compromise, many of which lack easy answers. As cybersecurity reporter Kim Zetter writes on her blog, the compromise of Trading Technologies was well known before the 3CX compromise occurred.
Google disclosed in March 2022, that the company’s website had been compromised by North Korean state actors who planted an exploit on the site that infected visitors. That was followed months later by a supply chain compromise linked to versions of the company’s X_Trader program, which had been discontinued in 2020, but was still available for download from the company’s website.
For its part, Trading Technologies disputed the characterization of the hack as a “supply chain compromise,” arguing that it was never a software supplier to 3CX and that there was no reason that a 3CX employee would have to download the X_TRADER application in the first place.
The company also had few answers for why a long-discontinued application could be rebuilt, signed, and distributed from the Trading Technologies website without the company noticing that something was amiss. A company representative also threw cold water on the possibility that it would help to get to the bottom of the compromise.
Trading Technologies had “literally turned off everything that was running it” and could not easily go back and reconstruct what happened. “It’s an extreme challenge to us,” a company spokesperson said.
This was the first double supply chain attack
Mandiant said the incident was the first “cascading software supply chain compromise” it has seen where a hack of one software provider set up the hack of a different software vendor:
"The incident shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions as demonstrated in this investigation."
Among questions that still need to be asked are whether other companies beyond 3CX were victims of this attack. The X_TRADER application was a “niche” tool used in the derivatives trading market and had reached its end of life. In theory, few Trading Technologies customers should have been using it. But it is unclear whether the UNC4736 hackers were able to compromise other Trading Technologies platforms, or if the group found success compromising other application providers.
Also unanswered is why a 3CX employee downloaded and installed a compromised, discontinued derivatives trading application that did not have a retail trading component. One possibility is that the administrator’s system was compromised by other means and that a remote attacker, rather than the device owner, download of the X_TRADER application.
3CX has not commented on the circumstances surrounding the download of the X_TRADER application but said it is “wind(ing) down” its incident investigation and has strengthened its policies, practices, and technology to “further protect against future attacks.” The company also announced a “7 Step Security Action Plan” that includes increasing the use of static and dynamic code analysis and the addition of “code signing and monitoring solutions” that can help to “ensure that our software is not modified.”
A troubling call to action on supply chain security
The latest twists in the tale of the 3CX attack are likely to heighten interest in software supply chain security — and increase scrutiny on software development organizations. As ReversingLabs reverse engineer Karlo Zanki said in his initial analysis of the 3CX incident: The company missed clear signs of tampering with its 3CX DesktopApp.
Mandiant’s revelations raise troubling questions about Trading Technologies' management of its X_TRADER application which, although discontinued, was still available from the company’s website and appears to have been modified to add malicious code without the company's knowledge.