An investigation into last month’s 3CX supply chain attack found it was caused by another supply chain breach where suspected North Korean attackers hacked into the company’s website. stock trading automation Trading Technologies to push trojanized software releases.
“We suspect that a number of organizations are not yet aware that they are compromised,” Charles Carmakal, CTO of Mandiant Consulting, told BleepingComputer.
“We hope that once we get this information, it will help expedite the process for businesses to determine they are compromised and contain their incidents.”
The malicious installer of Trading Technologies’ X_TRADER software deployed the VEILEDSIGNAL multi-step modular backdoor designed to execute shellcode, inject a communications module into Chrome, Firefox or Edge processes, and terminate.
According to Mandiant, the cybersecurity company that helped 3CX investigate the incident, the threat group (tracked as UNC4736) used the collected credentials to move laterally on 3CX’s network, ultimately breaching the Windows and macOS build environments.
“On the Windows build environment, the attacker deployed the TAXHAUL launcher and COLDCAT downloader which persisted by performing a DLL hack for the IKEEXT service and ran with LocalSystem privileges,” Mandiant said.
“The macOS build server was compromised with the POOLRAT backdoor using LaunchDaemons as a persistence mechanism.”
The malware achieved persistence through sideloading DLLs through legitimate Microsoft Windows binaries, which made it harder to detect.
It also loaded automatically on startup, allowing attackers to remotely access any compromised devices over the internet.
Links to Operation AppleJeu
Mandiant says UNC4736 is linked to financially motivated North Korean Lazarus group behind Operation AppleGames [1, 2, 3]Who was also linked by Google’s Threat Analysis Group (TAG) to the compromise of www.tradingtechnologies[.] com in a March 2022 report.
Based on the infrastructure overlap, the cybersecurity firm also linked UNC4736 to two clusters of suspected malicious activity APT43, tracked as UNC3782 and UNC4469.
“We have determined that UNC4736 is linked to the same North Korean operators based on the trojanized X_TRADER application, distributed via the same compromised site mentioned in the TAG blog,” said Fred Plan, Mandiant Principal Analyst for Google Cloud, to BleepingComputer.
“This, combined with similarities in TTPs and overlap on other infrastructure, gives us moderate confidence that these operators are related to each other.”
The 3CX Supply Chain Attack
On March 29, 3CX admitted that its Electron-based desktop client, 3CXDesktopApp, had been compromised to distribute malware, a day after news of a supply chain attack surfaced
It took 3CX more than a week to respond to customer reports that its software had been identified as malicious by several cybersecurity companies, including CrowdStrike, ESET, Palo Alto Networks, SentinelOne and SonicWall.
Nick Galea, CEO of the company, also said after the attack was revealed that an ffmpeg binary used by the 3CX desktop client may have been the initial intrusion vector. However, FFmpeg denied Galea claims that it only provides source code that has not been compromised.
3CX advised clients to uninstall its Electron desktop client from all Windows and macOS devices (a bulk uninstall script can be found here) and immediately switch to Progressive Web App (PWA) Web Client App provides similar functionality.
In response to the 3CX disclosure, a team of security researchers created a web-based tool to help enterprise customers determine whether their IP address has potentially been impacted by the March 2023 supply chain attack.
According to the company’s official website, 3CX Phone System has over 12 million daily users and is used by more than 600,000 companies globally, including leading organizations and companies like American Express, Coca-Cola, McDonald’s, Air France, IKEA, the UK’s National Health Service and several car manufacturers.
“The identified compromise in the software supply chain is the first we are aware of that has led to an additional compromise in the software supply chain,” Mandiant said.
“This shows the potential scope of this type of compromise, particularly when a malicious actor can chain intrusions together, as this investigation demonstrates.”