Google Cloud’s Mandiant says it has observed what appears to be the first ever instance of a double software supply chain attack, after uncovering evidence that suggests that the widespread 3CX supply chain incident only happened thanks to another software supply chain incident.
In late March, a software supply chain compromise enabled a North Korean threat actor tracked by Mandiant as UNC4736 (aka Lazarus) to spread malware via a trojanised version of 3CX DesktopApp 18.12.416.
The tainted 3CX app runs the SUDDENICON downloader that retrieves command and control (C2) servers from encrypted icon files hosted on GitHub. The decrypted C2 server then downloads a third-stage payload, a dataminer known as ICONICSTEALER.
This came to light when threat detection platforms started flagging and blocking 3CX DesktopApp due to malicious activity.
It now appears that 3CX’s systems were infiltrated with a malware-laced installer for the X_TRADER application. X_TRADER is a futures trading platform developed by Chicago-based Trading Technologies that was discontinued over three years ago.
The compromise of the end-of-lifed version of X_TRADER was first brought to light by Mandiant’s new cohorts at the Google Threat Analysis Group (TAG) in February 2023. This investigation alleged its website had been compromised by Lazarus via a remote code execution (RCE) vulnerability in the Chrome browser and was hosting a hidden iFrame to exploit visitors.
At the time, Google TAG determined this activity overlapped with a cluster of Lazarus activity known as AppleJEUS, which is a malware it uses to target cryptocurrency platforms.
Having accessed 3CX through the tainted version of X_TRADER, Lazarus was then able to harvest credentials and move laterally across 3CX’s systems, eventually compromising both its Windows and macOS build environments and enabling it to fiddle with DesktopApp.
“The identified software supply chain compromise is the first we are aware of which has led to an additional software supply chain compromise,” wrote Mandiant’s research team in a new disclosure blog.
“It shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions as demonstrated in this investigation. Research on UNC4736 activity suggests that it is most likely linked to financially motivated North Korean threat actors.
“The use of software supply chain compromises also demonstrates that the regime-backed operators can leverage network accesses in creative ways to distribute malware, a certain degree of sophistication to develop modular malware, cross over into other verticals, and enable follow-on intrusion campaigns for a wide range of offensive operations aligned with North Korea’s regime interests and priorities,” they said.
A Trading Technologies spokesperson told Computer Weekly: “Given that this only came to our attention last week, we have not had the ability to verify the assertions in Mandiant’s report. What we do know with certainty is that 3CX is not a vendor or a customer of Trading Technologies. There is no business relationship between the two companies. We have no idea why an employee of 3CX would have downloaded X_TRADER.
“The X_TRADER software referenced in Mandiant’s report was a professional trading software package for institutional derivatives trading that was decommissioned in April 2020. Our clients received multiple communications over the 18-month sunset period notifying them that we would no longer support or service X_TRADER beyond April 2020.
“There was no reason for anyone to download the software given that TT stopped hosting, supporting and servicing X_TRADER after early 2020. We would also emphasise that this incident is completely unrelated to the current TT platform.”
Extensive support
Despite initial confusion and mixed messaging over the source of the attack, 3CX has been working extensively alongside Mandiant during its investigation. On 11 April, it released a new DesktopApp update focused entirely on shoring up its cyber resilience. It has also extended existing customer subscriptions by three months.
“We’ve been overwhelmed by the swell of support from our partners and customers who have actively supported us on the forums with practical advice and moral support. Thank you,” wrote 3CX CEO Nick Galea.
“To the countless security researchers and experts that have published information about the attack and have helped us and our customers navigate the attack, we are also truly thankful.”
3CX boasts thousands of customers all over the world, ranging from small businesses through to government and public sector organisations, all the way up to major enterprises.
The precise number of customers who may have been affected by downstream cyber attacks arising from the compromise has not been disclosed.