Supply chain, Threat Management, Network Security
Another software supply chain attack discovered during 3CX investigation

In an update Thursday, Mandiant researchers said they believe the initial intrusion vector in the 3CX software supply chain attack was an outdated and corrupted version of a stock trading application downloaded by an employee in 2022. ((Source: Icy Macload via Getty Images)
Researchers at Mandiant Consulting say a compromise of 3CX desktop application software disclosed last month was facilitated by another, separate software supply chain breach of a rogue third-party stock trading application downloaded by an employee.In March, 3CX chief information security officer Pierre Jourdan announced that an update for the company’s Windows and Mac versions of their Electron desktop application software had been corrupted by a malicious actor, leaving any customers who downloaded it vulnerable to a range of different malware attacks, browser datamining, credential theft and the deployment of command shells. At the time, Jourdan blamed the infected build on “one of the bundled [software] libraries we compiled into the Windows Electron App” but the initial disclosure did not identify or specify the affected software, nor did an April 11 interim assessment from Mandiant, which was hired to lead the investigation.Now in an update Thursday, the Google-owned Mandiant said it has identified what it believes to be the initial intrusion vector: an outdated and corrupted version of X_Trader, a software program used to trade stocks and futures. Charles Carmakal, chief technology officer at Mandiant, told reporters Wednesday that the compromise began in 2022 when a 3CX employee downloaded a version of X_Trader from the Trading Technologies website that contained a backdoor exploit similar to the one discovered in 3CX’s desktop app. The affected version of X_Trader was discontinued in 2020, but according to Mandiant it was still available for download on the Trading Technologies website as recently as 2022, with a valid certificate signed by “Trading Technologies International Inc.”That backdoor allowed malicious hackers to gain access to the employee’s computer, which they used to move laterally through 3CX’s network until gaining access to the Electron app’s Windows and Mac build environments, where they were able to insert the corrupted code.“This is the first time in history that Mandiant has ever observed a software supply chain attack of one company lead to the software supply chain attack of another company and another product,” said Carmakal.It’s not clear how the actors initially compromised X_Trader’s software, or why the 3CX employee downloaded a version of X_Trader on their work computer. Carmakal said Mandiant notified Trading Technologies about the infected version of their program on April 11 but stressed that their visibility over this portion of the infection chain is limited because they were not part of the company's incident response. He noted that because the infected version of X_Trader had been out of date for years, the impact and spread is likely smaller than it would have been for a more active version of the software.When reached for comment, a representative from Trading Technologies told SC Media that they are still investigating Mandiant’s claims and expressed confusion as to why a 3CX employee would have downloaded an expired and unsupported version of their software, saying the telephony provider is not among their vendors or customers and "there is no business relationship between the two companies.”“We have no idea why an employee of 3CX would have downloaded X_TRADER. The X_TRADER software referenced in Mandiant’s report was a professional trading software package for institutional derivatives trading that was decommissioned in April 2020," a spokesperson told SC Media through email. "Our clients received multiple communications over the 18-month sunset period notifying them that we would no longer support or service X_TRADER beyond April 2020. There was no reason for anyone to download the software given that [we] stopped hosting, supporting and servicing X_TRADER after early 2020.”
An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds