Mandiant: 3CX software supply chain attack was caused by another supply chain attack compromise
Popular voice call service 3CX was compromised in March 2023 through a supply-chain attack, which involves hackers breaching a vendor’s system to gain entry to other targets.
The supply chain attack on 3CX, a popular voice call service, originated from another supply chain attack, according to cybersecurity firm Mandiant.
3CX was breached using a tainted version of the X_Trader financial software, develop involvingchnologies to trade stocks and futures. A 3CX employee downloaded a tainted version of the X_Trader software in April 2022, which led to the deployment of a malicious modular backdoor: VEILEDSIGNAL, on the employee’s phone. The backdoor allowed hackers to gain access to the employee’s computer and then move laterally through 3CX’s network, ultimately inserting malicious code into the 3CX DesktopApp.
‘The affected software was 3CX DesktopApp 18.12.416 and earlier, which contained malicious code that ran a downloader, ran a downloader, SUDDENICON, which in turn received additional command and control (C2) servers from encrypted icon files hosted on GitHub. The decrypted C2 server was used to download a third stage identified as ICONICSTEALER, a dataminer that steals browser information,’ Mandiant’s investigation uncovered.
3CX software supply chain compromise linked to Trading Technologies software supply chain compromise. Credit: Mandiant.
Mandiant stated that this is the first instance they have observed of one software supply chain attack leading to another, calling it a ‘cascading software supply chain compromise’. The threat actor deemed responsible, UNC4736, is a suspected North Korean actor, and Mandiant assesses with moderate confidence that the actor is related to financially motivated North Korean ‘AppleJeus’ activity.
A spokesperson for Trading Technologies told SC Media that the X_Trader financial software was decommissioned in April 2020. It is unclear why the 3CX employee downloaded the software.