Upstream Supply Chain Issues Caused 3XC Software Compromise

Category: Application Security | Industries: Financial Services, Telecommunications | Level: Strategic | Sources: Mandiant & Symantec

The compromise of the 3CX desktop application in late March significantly impacted over 600,000 companies with more than 12 million daily users. Since the breach, 3CX partnered with Mandiant to investigate the incident, the security firm was able to determine "the initial compromise vector of 3CX’s network was via malicious software downloaded from Trading Technologies website." North Korean threat actors remain the lead suspect being responsible for the compromise of 3CX and a prior breach to Trading Technologies to facilitate the poisoning of software builds. Specifically, the 'X_TRADER' installer from Trading Technologies was identified to have been tampered with, to enable the deployment of a malware backdoor dubbed VEILEDSIGNAL. The backdoor can transmit implant data, run shellcode, inject a communication module into browser processes for Chrome, Firefox, or Microsoft Edge. Mandiant designates the threat cluster as an uncategorized group, UNC4736. Unfortunately, with this revelation of the attack occurring upstream from 3CX, Mandiant warns "there are a number of organizations that don’t yet know they are compromised."

Mandiant's investigation in the breach of 3CX also found UNC4736 operators could infect builds for Windows and macOS by using collected credentials moving laterally within 3CX's environment. According to Mandiant on "the Windows build environment the attacker deployed the TAXHAUL launcher and COLDCAT downloader that persisted by performing DLL hijacking for the IKEEXT service and ran with LocalSystem privileges," and for macOS, the "build server was compromised with POOLRAT backdoor using LaunchDaemons as a persistence mechanism." While Mandiant tracks the threat cluster as an uncategorized group, UNC4736. Mandiant does assess with moderate confidence the attribution of this activity to the North Korean “AppleJeus” led by the Lazarus group. The attribution is made due to shared victimology of fintech and cryptocurrency related platforms evident with the compromise of Trading Technologies and an overlap of TTPs. The techniques demonstrated include the exploit of a Chrome remote code execution vulnerability, CVE-2022-0609, and the hosting of a hidden iFrame following the compromise of Trading Technologies' website. and shared network infrastructure found in the use of the journalide[.]com domain.

The Symantec Threat Hunter Team conducted an exposure check and discovered the trojanized installer from Trading Technologies had affected two critical infrastructure organizations in the energy sector in the United States and Europe. As well as two separate financial services organizations. Mandiant, Symantec along with several reputable security firms and researchers have attributed the supply chain attack to North Korean-sponsored actors and believe it to be rooted in espionage and financial motivations. The compromise of Trading Technologies supports the actors' financial motivations, given the company's core business of facilitating trades.

‍