3CX breach linked to previous supply chain compromise
Pieces of the 3CX supply chain compromise puzzle are starting to fall into place, though we’re still far away from seeing the complete picture.
In the meantime, we now also know that:
- The source of the 3CX breach was a compromised installer for X_TRADER, an old software package for futures-trading provided by Trading Technologies
- The trojanized installer for X_TRADER software was also used to drop a backdoor on the systems of two critical infrastructure organizations in the energy sector, and two organizations involved in financial trading
The 3CX supply chain compromise
As we previously reported, the Windows and Mac desktop versions of the 3CX app have been injected with malware and used to deliver information-stealing malware to a yet unknown number of 3CX customers. According to Kaspersky, some of the victims are cryptocurrency companies.
3CX engaged Mandiant to investigate how their own compromise happened, and they revealed last Thursday that one of 3CX employees downloaded the booby-trapped X_TRADER installer, leading to the ultimate deployment of a modular backdoor (dubbed VEILEDSIGNAL) on their system.
The installer was signed with an expired digital certificate belonging to Trading Technologies, and dates back to November 2021.
“The attacker used a compiled version of the publicly available Fast Reverse Proxy project, to move laterally within the 3CX organization during the attack. Mandiant was able to reconstruct the attacker’s steps throughout the environment as they harvested credentials and moved laterally. Eventually, the attacker was able to compromise both the Windows and macOS build environments,” the company’s investigators shared.
“On the Windows build environment, the attacker deployed a TAXHAUL launcher and COLDCAT downloader that persisted by performing DLL search order hijacking through the IKEEXT service and ran with LocalSystem privileges. The macOS build server was compromised with POOLRAT backdoor using Launch Daemons as a persistence mechanism.”
They also found indicators of compromise that seem to corroborate their initial assessment that government-sponsored North Korean hackers are behind the breach.
“The identified software supply chain compromise is the first we are aware of which has led to a cascading software supply chain compromise,” they added. “Cascading software supply chain compromises demonstrate that North Korean operators can exploit network access in creative ways to develop and distribute malware, and move between target networks while conducting operations aligned with North Korea’s interests.”
Almost simultaneously, ESET researchers published a report about the Lazarus APT targeting Linux users with fake job offers and a Linux backdoor, and further linked the group to the 3CX supply chain attack based on similarities between used malware and shared infrastructure.
“The stealthiness of a supply chain attack makes [distributing malware via compromised software] very appealing from an attacker’s perspective. Lazarus has already used this technique in the past, targeting South Korean users of WIZVERA VeraPort software in 2020. Similarities with existing malware from the Lazarus toolset and with the group’s typical techniques strongly suggest the recent 3CX compromise is the work of Lazarus as well,” they noted.
“It is also interesting to note that Lazarus can produce and use malware for all major desktop operating systems: Windows, macOS, and Linux.”
The yet unknown fallout of the Trading Technologies compromise
Then, on Friday, Symantec’s Threat Hunter Team revealed that the X_TRADER software supply chain attack affected more organizations than 3CX, including two organizations in the energy sector in the US and the UK, as well as two organizations involved in financial trading. (The extent of possible compromise at those companies is unknown.)
“It appears likely that the X_Trader supply chain attack is financially motivated, since Trading Technologies, the developer of X_Trader, facilitates futures trading, including energy futures. Nevertheless, the compromise of critical infrastructure targets is a source of concern. North Korean-sponsored actors are known to engage in both espionage and financially motivated attacks and it cannot be ruled out that strategically important organizations breached during a financial campaign are targeted for further exploitation,” they pointed out.
Trading Technologies told security journalist Kim Zetter that the compromised X_TRADER package was downloaded by 97 individuals between November 1, 2021 and July 26, 2022, and that they’ve been notified and advised not to open the software if they haven’t done so already.
If any of those individuals work at other software companies, the discovery of additional related supply chain attacks is very likely.