The 3CX attack was an attack within an attack
Google-owned Mandiant shared more details of the sophisticated campaign.
The sophisticated supply chain attack against enterprise communication software maker 3CX that was discovered last month was the result of an earlier supply chain attack targeting financial software firm Trading Technologies that hijacked its X_TRADER application, also carried out by the same hackers who compromised 3CX.
3CX’s systems were penetrated after an employee downloaded on their personal computer the malware-laced trading software in April 2022. The tainted app delivered a backdoor named VEILEDSIGNAL that allowed the threat actor to obtain the employee’s corporate credentials and gain unauthorized access to 3CX’s network and poison its Windows and macOS build environments, and ultimately slip backdoor code to 3CX customers.
While the attack on 3CX first emerged last month, new findings show that it began more than a year ago in February 2022 when the adversary exploited a then Google Chrome zero-day to breach the Trading Technologies website. The attackers eventually gain access to the company’s build environment and inserted malicious code into the X_TRADER app. It’s currently not clear how the Lazarus actors introduced the malware into X_TRADER. Interestingly, the version of X_TRADER used in the attack was discontinued in 2020 but still available for download from the website in 2022.
Threat intelligence firm Mandiant told Dark Reading that the whole campaign likely started off as an opportunistic attack, adding “but once they figured out that they had access to a company that likely has a lot of customers, they decided to continue to move forward and compromise the environment and then compromise the software.” The development marks the first confirmed incident where one software supply chain attack enabled another. However, it’s unlikely to be the last.
What the threat actors hoped to accomplish is another unknown, although it appears to be crypto theft. Indicators from the interlinked attacks show varying degrees of overlap with multiple North Korean threat clusters that have been described as “involved in financially-motivated cybercrime operations.” The development illustrates an increase in the cyber offensive capabilities by North Korean threat actors and their ever-evolving tactics. It also underscores how supply chain attacks can give attackers access to a greater pool of victims by breaching one upstream service provider.
***
Read additional coverage about the 3CX attack here: Kim Zetter / Krebs on Security / WIRED / Dark Reading / TechCrunch / CyberScoop / SC Media / SecurityWeek