Turns out 3CX was not the original target in a recent supply chain compromise affecting customers of the video conferencing software maker: The attack came via a prior supply chain compromise involving Trading Technologies, a provider of high-performance trading software.
That makes the breach at 3CX one of the first known instances where an adversary used one supply chain attack to enable a second supply chain attack in an effort to try and breach multiple organizations. However, rather than being the victims of a targeted attack, 3CX and its customers appear to have become opportunistic victims for the threat actor, new research shows.
Researchers at Google Cloud's Mandiant discovered the chained attacks after 3CX hired the security vendor to investigate a March 2023 incident where a threat actor — now identified as North Koreas Lazarus group — used legitimate updates of 3CX's DesktopApp to deliver malware to downstream customers.
Multiple security vendors at the time reported observing legitimately signed Windows and Mac versions of the 3CX app landing on customer systems bundled with malicious installers. When users attempted to deploy the poisoned software, the malicious installers executed a sequence of actions that ended with an information stealer on their systems. Kaspersky later observed Lazarus actors dropping a second-stage backdoor, tracked as "Gopuram" on systems belonging to a small number of affected 3CX users.
Security researchers surmised that the North Korean threat actor — whom Mandiant tracks as UNC4736 — would have needed extensive access to 3CX's build environment to pull off the attack. 3CX officials themselves merely noted the issue likely had to do with one of the bundled libraries compiled into the desktop app.
Fortuitous Download for the Hackers
Mandiant's investigation into how exactly UNC4736 might have compromised the 3CX environment showed the threat actor gained initial access when a 3CX employee downloaded a financial trading package called X_TRADER from the website of the developer, Trading Technologies.
UNC4736 actors had previously breached Trading Technologies systems, according to Mandiant, and inserted a backdoor in the X_TRADER app's installation file. When the 3CX user downloaded the app from the Trading Technologies website, the installer triggered actions that resulted in a modular, multi-stage backdoor called "VEILEDSIGNAL" landing on the individual's system.
The malware contained multiple functions, including those for sending implant data, executing shell code, and for terminating itself. VEILEDSIGNAL also included two other components: one for injecting the command-and-control module on Chrome, Firefox, or Edge, and the other for listening to incoming communications.
Marius Fodoreanu, principal consultant at Mandiant and the lead investigator in the 3CX compromise, says it's unclear how UNC4736/Lazarus actors introduced the malicious installer for X_TRADER.
"Mandiant is not performing an incident response for Trading Technologies, so we don't have direct visibility into the Trading Technologies' environment," he says. But Mandiant has observed evidence of compromise of the Trading Technologies environment as far back as 2021, Fodoreanu says.
Lazarus Used Backdoor to Steal Credentials, Compromise 3CX Build Systems
Fodoreanu says that following the initial compromise of the 3CX employee's computer in 2022, the threat actor stole the employee's corporate credentials. The attackers then used the administrative-level access and persistence that VEILEDSIGNAL provided on the system to eventually compromise 3CX's Windows and macOS build environments and insert malware into finished 3CX software packages.
The breach at 3CX would not have happened in this instance if the employee hadn't downloaded the malicious X_TRADER app. That means the company became a collateral and, therefore, an opportunistic victim of the North Korean group.
"If you were starting from scratch and trying to intentionally target a company like 3CX, you would not go to Trading Technologies as an initial attack vector," Fodoreanu concedes.
However, when the threat actor discovered they had snagged a high-value victim, it is likely they pressed forward more deliberately, he says.
"Yes, we believe it likely started off as [an] opportunistic attack," he says. "But once they figured out that they had access to a company that likely has a lot of customers, they decided to continue to move forward and compromise the environment and then compromise the software."
3CX Not a Trading Technologies' Customer
Interestingly, 3CX is neither a vendor nor a customer of Trading Technologies. So, it is not clear why an employee from the company would have wanted to download X_TRADER, a spokeswoman from Trading Technologies said in an emailed statement to Dark Reading.
"Given that this only came to our attention last week, we have not had the ability to verify the assertions in Mandiant's report," the spokeswoman said. "What we do know with certainty is that 3CX is not a vendor or a customer of Trading Technologies. There is no business relationship between the two companies."
The statement went on to note that Trading Technologies discontinued the X_TRADER app referenced in the Mandiant report in April 2020. Mandiant itself said its investigation showed, however, that the app was still available for download in 2022. "There was no reason for anyone to download the software given that TT stopped hosting, supporting, and servicing X_TRADER after early 2020."
Fodoreanu says there is potential that other organizations might have downloaded the poisoned X_TRADER app during the two years it was available on Trading Technologies' website, after the company discontinued the product.
"We suspect there are a number of organizations that don't know they're compromised yet," he says. "We're hopeful that now that this information is out, it'll help accelerate the process for companies to determine that they're compromised and contain their incidents."
Meanwhile, in a separate development, security vendor Eset this week reported on a new Lazarus campaign it is currently tracking as Operation DreamJob, which it believes is linked to the 3CX attack for multiple reasons. Peter Kalnai, senior malware researcher at Eset, says the so-called "SimplexTea" Linux malware used in the DreamJob campaign shares the same C2 network infrastructure used in the 3CX attack.
The configuration of SimplexTea also bears the same name (apdl.cf) as SIMPLESEA the macOS malware reported in the 3CX attack, Kalnai says. There are also similarities in the manner in which messages are encrypted, he says.