3CX Supply Chain Attack Enabled by Trading Technologies Supply Chain Attack
Researchers from Mandiant investigating the recently disclosed 3CX supply chain attack say that attack was made possible by an earlier attack against a different supply chain. The earlier attack targeted Trading Technologies’ X-TRADER installer, adding a backdoor. In their blog, Mandiant writes, ”The identified software supply chain compromise is the first we are aware of which has led to a cascading software supply chain compromise.”
The 3CX incident shows how important solid incident response is, not just for the company affected, but for the community at large. The exploited trading application may have been used by other users as well who up until now had no idea that it put their networks at risk. Thanks to Mandiant and 3CX for sharing these results.
The first two steps in the origin of the compromise appear to be (1) a personal-owned computer was used by an employee for remote access to 3CX and apparently that remote access allowed the use of reusable passwords; (2) the employee loaded trojaned stock trading software on that personal computer, and that harvested his reusable password for 3CX remote access – game over. Cascading supply chain attacks are an issue, certainly – but the reality is the cascade would never have started if policies requiring strong authentication for all remote access (especially BYOD access) were enforced.
The VEILEDSIGNAL malware, which was injected into the X-TRADER installer in late 2021, was subsequently downloaded by a 3CX employee in 2023, allowing their computer to be compromised and the attacker to deploy more malware, as well as to move laterally within the 3CX environment, ultimately infecting their desktop app. The net is that multiple pieces of malware were involved, not all of which were unknown, compromising both macOS and Windows environments, not all of which were unknown, so should have been detected. Mitigate the risks by both making sure your EDR platform is kept updated and alerts are actively responded to as well as teaching employees to use caution with third-party components, particularly older or unsupported items.
This is the first cascading software supply chain attack that has been openly reported. That said, it appears that this supply chain attack did not have a specific target in mind. Unfortunately for 3CX the attack was successful for two reasons: 1) poor implementation of cybersecurity best practices [download of non-work application, lack of network segmentation, access controls]; and 2) lack of security controls within the software development lifecycle [ability to manipulate the 3CX product].
Read more in
Mandiant: 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
Wired: The Huge 3CX Breach Was Actually 2 Linked Supply Chain Attacks
The Register: An earlier supply chain attack led to the 3CX supply chain attack, Mandiant says
SC Magazine: Another software supply chain attack discovered during 3CX investigation
Bleeping Computer: 3CX hack caused by trading software supply chain attack