The supply chain attack against 3CX last month has far-reaching — and foreboding — consequences beyond what the security community first observed, marking a novel example of a multitiered supply chain attack.
“This is the first time in history that Mandiant’s ever observed a software supply chain attack of one company lead to the software supply chain attack of another company and another product,” Mandiant Consulting CTO Charles Carmakal said Wednesday in a press briefing.
Carmakal described it as "very novel and interesting and quite a scary threat."
The compromise of 3CX and its build environment occurred when a 3CX employee used their credentials to download and install X_TRADER software on their computer, the incident response firm determined in its investigation.
The financial trading software from Trading Technologies and 3CX, which has more than 600,000 business customers globally, were compromised by a North Korea-linked adversary Mandiant identifies as UNC4736.
The backdoor deployed by the malware-laced X_TRADER software allowed the threat actor to access the 3CX employee’s computer and ultimately access and insert malicious code into the build environment, Carmakal said.
The X_TRADER software was compromised in early 2022 and infected with VEILEDSIGNAL malware, a full-feature backdoor, Carmakal said. The installer was digitally signed with a valid Trading Technologies code signing certificate that is now expired.
Trading Technologies retired the software in 2020, but it remained available for download until 2022 and is currently no longer available. Mandiant notified Trading Technologies of the supply chain attack on April 11.
Mandiant is still assessing the downstream impact from both software supply chain attacks, but warns the potential for additional victims is high.
“There are very likely other victims out there that don't yet know that they're compromised,” Carmakal said.
The compromised X_TRADER and 3CX applications contain, extract and run a payload in the same manner, but the final payload is different, according to Mandiant’s investigation.
Mandiant shared details about the initial intrusion vector and VEILEDSIGNAL backdoor analysis in a blog post.
“The biggest threat is having organizations who were compromised over the past, say 12 months or so, that don’t yet know it,” Carmakal said. “Something more damaging could happen, because it generally takes a threat actor several months to be able to conduct a very high impactful cyber operation without going detected.”