Another software supply chain attack discovered during 3CX investigation

Researchers at Mandiant Consulting say a compromise of 3CX desktop application software disclosed last month was facilitated by another, separate software supply chain breach of a rogue third-party stock trading application downloaded by an employee.

In March, 3CX chief information security officer Pierre Jourdan announced that an update for the company’s Windows and Mac versions of their Electron desktop application software had been corrupted by a malicious actor, leaving any customers who downloaded it vulnerable to a range of different malware attacks, browser datamining, credential theft and the deployment of command shells.  

At the time, Jourdan blamed the infected build on “one of the bundled [software] libraries we compiled into the Windows Electron App” but the initial disclosure did not identify or specify the affected software, nor did an April 11 interim assessment from Mandiant, which was hired to lead the investigation.

Now in an update Thursday, the Google-owned Mandiant said it has identified what it believes to be the initial intrusion vector: an outdated and corrupted version of X_Trader, a software program used to trade stocks and futures.

Charles Carmakal, chief technology officer at Mandiant, told reporters Wednesday that the compromise began in 2022 when a 3CX employee downloaded a version of X_Trader from the Trading Technologies website that contained a backdoor exploit similar to the one discovered in 3CX’s desktop app. The affected version of X_Trader was discontinued in 2020, but according to Mandiant it was still available for download on the Trading Technologies website as recently as 2022, with a valid certificate signed by “Trading Technologies International Inc.”

That backdoor allowed malicious hackers to gain access to the employee’s computer, which they used to move laterally through 3CX’s network until gaining access to the Electron app’s Windows and Mac build environments, where they were able to insert the corrupted code.

“This is the first time in history that Mandiant has ever observed a software supply chain attack of one company lead to the software supply chain attack of another company and another product,” said Carmakal.

It’s not clear how the actors initially compromised X_Trader’s software, or why the 3CX employee downloaded a version of X_Trader on their work computer. Carmakal said Mandiant notified Trading Technologies about the infected version of their program on April 11 but stressed that their visibility over this portion of the infection chain is limited because they were not part of the company's incident response. He noted that because the infected version of X_Trader had been out of date for years, the impact and spread is likely smaller than it would have been for a more active version of the software.

When reached for comment, a representative from Trading Technologies told SC Media that they are still investigating Mandiant’s claims and expressed confusion as to why a 3CX employee would have downloaded an expired and unsupported version of their software, saying the telephony provider is not among their vendors or customers and "there is no business relationship between the two companies.”

“We have no idea why an employee of 3CX would have downloaded X_TRADER. The X_TRADER software referenced in Mandiant’s report was a professional trading software package for institutional derivatives trading that was decommissioned in April 2020," a spokesperson told SC Media through email. "Our clients received multiple communications over the 18-month sunset period notifying them that we would no longer support or service X_TRADER beyond April 2020. There was no reason for anyone to download the software given that [we] stopped hosting, supporting and servicing X_TRADER after early 2020.”

Details on 3CX victims remain scant

According to their website, 3CX has more than 600,000 companies as clients, including American Express, BMW, Air France, Toyota, IKEA and others. A search on Shodan on March 30 found more than 240,000 3CX exposed phone management systems, while one managed security service provider, Huntress, reported it has sent out more than 2,783 incident reports where the 3CXDesktopApp.exe binary matches known malicious hashes and had a signed certificate from 3CX on March 13.

However, Carmakal declined to provide hard figures around how many 3CX’s customers are known to be infected or compromised in the attack, saying it’s likely more victims will come forward as Mandiant and others continue to publish research into affected products and systems.

“Right now, we don’t have great visibility into who the downstream victims are. We think over time we’ll get better visibility … I think there’s just a number of organizations that don’t yet know that they’re compromised, that will end up reaching out to us over time,” he said.

Mandiant and other threat intelligence companies have tentatively attributed the attack to a group with a North Korean-nexus. Ben Read, director of cyber espionage analysis at Mandiant, said they have not yet seen a downstream compromise that clearly indicates motive, but noted that 3CX’s software is built for corporate environments and the activity appears to have substantial overlap with previous North Korea-aligned groups and campaigns that have historically targeted cryptocurrency companies and conducted financially motivated attacks.

Specifically, Mandiant has assessed with “moderate confidence” that the activity is linked to “AppleJeus,” a North Korea-linked campaign targeting cryptocurrency exchanges and financial service companies in 32 countries (including the U.S.) by disseminating cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency.

“These folks are highly resourced, and they are after money. It sort of shows where North Korea is putting their best cyber teams, really on the financially motivated stuff,” Read said.

Carmakal noted that while this is the first time Mandiant has seen an actor use one supply chain compromise to execute another, previous supply chain attacks the company has investigated have mirrored the same potential desire.

Most notably, he said there is substantial evidence that the Russian SVR-linked hacking group involved in the infamous SolarWinds/SUNBURST incident in 2020 was "poking around in source code environments and build environments" in a way that indicated a similar interest in potentially chaining together software supply chain attacks to infect a broader pool of victims downstream. He said Mandiant hasn't ruled out the possibility that there are additional undiscovered software compromises linked to the 3CX intrusion.

"It's our assessment that [the Russian hackers] likely would have wanted to conduct other software supply chain attacks, but we think they were caught off guard when we detected the incident at FireEye and end up disclosing it," Carmakal said.