3CX supply chain attack was the result of a previous supply chain attack, Mandiant says

Hackers linked to North Korea appear to have carried out the first documented instance of a supply chain attack that led to a second, subsequent supply chain attack, researchers at Mandiant concluded in a report released Thursday.

The attack in question targeted the video conferencing and online communications platform 3CX and occurred when an employee downloaded a compromised version of the financial trading software X_Trader. The attackers then used access granted by the malicious X_Trader software to lace 3CX’s desktop application with malware.

“This is the first time that we’ve seen a software supply chain attack lead to another software supply chain attack,” Charles Carmakal, Mandiant consulting CTO, told reporters in a briefing ahead of the report’s release. “So this is very big and very significant to us.”

Both attacks were likely the work of financially motivated North Korean-aligned hacking efforts. Indicators from the attacks show varying degrees of overlap with multiple North Korean cyber operators that Mandiant described as “involved in financially-motivated cybercrime operations” that have “demonstrated a sustained focus on cryptocurrency and fintech-related services over time.”

A spokesperson for Trading Technologies said the role of X_Trader in compromising 3CX “only came to our attention last week” and that “we have not had the ability to verify the assertions in Mandiant’s report.” The spokesperson said that Trading Technologies has no business relationship with 3CX and said that X_Trader was no longer in use.

“The X_TRADER software referenced in Mandiant’s report was a professional trading software package for institutional derivatives trading that was decommissioned in April 2020,” the spokesperson said. “Our clients received multiple communications over the 18-month sunset period notifying them that we would no longer support or service X_TRADER beyond April 2020. There was no reason for anyone to download the software given that TT stopped hosting, supporting and servicing X_TRADER after early 2020.”

Immediately after the attack on 3CX — which claims to have more than 12 million users globally and 600,000 installations of its software — was revealed, researchers feared that it might amount to the next SolarWinds-style supply chain attack, with untold numbers of downstream customers at risk of compromise.

By daisy-chaining two different supply chain vulnerabilities, the hackers behind the attack could have reached a large number of victims, though the scope of the attack remains unclear for now.

Ben Read, the head of cyber-espionage analysis at Mandiant, told reporters that supply chain attacks give attackers access to a greater pool of victims, so even if the ultimate rate of successful compromise is low, more victims will ultimately be compromised. “If five percent of your victims have stuff you can steal, if you hack 20, you’re going to get one, if you hack 100, you’re going to get 20,” Read said.

A day after the attack came to light, the cybersecurity firm Huntress said that there were more than 242,000 publicly exposed 3CX phone management systems online but did not assert a definitive number of compromised victims.

Other estimates of the impact were more modest. Researchers with Kaspersky said earlier this month that although its systems had seen installations of infected 3CX software “all over the world,” the malware it associates with the malicious 3CX file had been deployed to “less than ten machines,” indicating that the North Korean hackers “used this backdoor with surgical precision” related to a “specific interest in cryptocurrency companies.”

Mandiant was unable to say how many times the modified version of the 3CX desktop application was downloaded by unsuspecting customers. 3CX did not immediately respond to a request for comment. 3CX CEO Nick Galea previously told CyberScoop that it wasn’t clear how widespread the attack was but said it was likely that hundreds of thousands of the company’s customers had downloaded the infected update.

“I think we will learn about many more victims over time as it relates to one of these two software supply chain attacks,” Carmakal said. “We will very likely over time discover more victims.”

Mandiant, a division of Google Cloud, was contracted by Florida-based 3CX in March after the company became aware that installation files for one of its desktop applications had been trojanized to deliver a data miner capable of stealing browser information in the infected machine. That attack was enabled by a malware-laced version of the X_Trader software installation package from the Chicago-based Trading Technologies.

The version of X_Trader used in the attack was discontinued in 2020 but still available for download in April 2022, when the 3CX employee apparently downloaded it, Mandiant said.

Trading Technologies’ website was compromised in February 2022 as part of a North Korean hacking operation known as AppleJeus, Google’s Threat Analysis Group reported the following month. An April 2021 U.S. government advisory described the Apple Jeus operation as part of a North Korean campaign to steal cryptocurrency.

Galea wrote in a blog Thursday morning that the company will be taking multiple steps to harden their digital defenses. 3CX plans on working with Mandiant to rebuild and harden their networks with a dedicated build environment and additional monitoring like new endpoint detection and response tools. The company is also working on ensuring the integrity of the software through additional procedures like code signing and monitoring and is investing in a new “Network Operations & Security” department.

Update April 20, 2023: This article has been updated to include additional information from 3CX.