The 3CX compromise: a complex supply-chain attack.
N2K logoApr 21, 2023

The incident that affected 3CX was a complex supply-chain attack executed by a threat actor connected to a nation-state.

The 3CX compromise: a complex supply-chain attack.

Mandiant reported this week that the exploitation of 3CX, a supply-chain attack, was itself enabled by a previous supply-chain attack. "In March 2023, Mandiant Consulting responded to a supply chain compromise that affected 3CX Desktop App software," the company's report said. "During this response, Mandiant identified that the initial compromise vector of 3CX’s network was via malicious software downloaded from Trading Technologies website. This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack." The attack is being attributed to UNC4736, generally regarded as a North Korean threat actor. Its activities have been related to the "financially motivated North Korean 'AppleJeus' activity as reported by CISA."

Initial infection and subsequent spreading.

As SecurityWeek explains in their 20 April article, “The business communication company’s (3CX) systems were penetrated after an employee downloaded on their personal computer a trojanized installer for the X_Trader trading software from Trading Technologies.” As Mandiant notes, “Although the X_TRADER platform was reportedly discontinued in 2020, it was still available for download from the legitimate Trading Technologies website in 2022.” The threat actors were thus able to use an employee’s stolen credentials to infiltrate the 3CX network and move laterally, collecting more credentials in the process. This allowed them to eventually compromise the Windows and macOS build environments. “This later allowed them to push malware to 3CX customers,” writes Mandiant.

Attribution to North Korean threat actors. 

These attacks have been widely attributed to UNC4736, which has been associated with the DPRK. Mandiant asserts “with moderate confidence that UNC4736 is related to financially motivated North Korean ‘AppleJeus’ activity as reported by CISA. This is further corroborated with findings from Google TAG who reported the compromise of www.tradingtechnologies [dot] com in February 2022, preceding the distribution of compromised X_TRADER updates from the site.” AppleJues is a campaign by the Lazarus Group, a known DPRK cyber espionage group. Mandiant adds that this attack demonstrates “that North Korean operators can exploit network access in creative ways to develop and distribute malware, and move between target networks while conducting operations aligned with North Korea’s interests.”

X_Trading was signed as valid. 

“The code signing certificate used to digitally sign the malicious software was set to expire in October 2022,” Mandiant says. The ability of hackers to hijack a seemingly legitimate business tool and use it as a springboard to infect companies with malware is alarming. Chris Hickman, CSO of Keyfactor, explained “In our software-driven world, trust is everything. To establish trust, developers and their organizations use a code signing certificate to prove the authenticity of a piece of software and guarantee that it comes from a legitimate source that hasn’t been tampered with.” James McQuiggan, security awareness advocate at KnowB4, said, “Cybercriminals continue to target smaller organizations that service and support larger organizations in the hopes of infiltrating and planting malicious code in a software update or other trusted software from the target in the hopes of more significant attacks and more data breaches across all industries.” McQuiggan also called for organizations to audit their own cyber security programs to protect sensitive data. 

An attack on all is an attack on one. 

Another way to look at the problem, as Jeff Wiliams the CTO and co-founder of Contrast Security, points out is to view these two attacks on two supply chains as one attack on the extensive supply chain a company's software runs on. “It’s critical to ask your upstream suppliers about how well *their* supply chain (including build pipeline and development environments) is protected. Their supply chain is a part of *your* supply chain. The reality is that *all* the thousands of pieces of software your software depends on is critical to you -- including libraries, IDEs, plugins, test tools, build pipelines, and all the other software on any developers’ laptops. As someone who grew up swimming in rivers with nearby cattle farms, any upstream compromise taints everyone downstream.” (Let that unpleasant metaphor sink in.)