Cascading Supply Chain Attack: 3CX Hacked After Employee Downloaded Trojanized App

More information was made available on Thursday about the recent 3CX hack, and it turns out that the incident was what cybersecurity experts are calling a cascading software supply chain attack. 

The hack came to light in late March, after 3CX customers started complaining that various cybersecurity products had been triggering warnings for the company’s software.

An investigation revealed that hackers had compromised 3CX’s Windows and macOS build environments and used their access to push trojanized software to the company’s customers. 

Mandiant, which helped 3CX investigate the breach, found that the business communication company’s systems were penetrated after an employee downloaded on their personal computer a trojanized installer for the X_Trader trading software from Trading Technologies. 

The X_Trader application was retired in 2020, but it was still available on the company’s website. The malicious version, which the employee downloaded sometime in 2022, was signed with a certificate that was valid until October 2022. 

The malicious X_Trader app delivered a malware named VeiledSignal, which gave the attackers administrator-level access to the 3CX employee’s device. The attackers were able to obtain corporate credentials belonging to the employee, which gave them access to 3CX systems.

Once inside 3CX’s network, they harvested credentials, moved laterally, and deployed other malware to compromise Windows and macOS build environments. This later allowed them to push malware to 3CX customers. 

The other malware families involved in the attack are tracked by Mandiant as TaxHaul, ColdCat, PoolRat, and IconicStealer. IconicStealer is a third-stage payload that was served to some 3CX customers, allowing the hackers to steal browser data. CISA has published a malware analysis report for IconicStealer.

Cybersecurity companies reported shortly after the incident came to light that the attack was likely conducted by North Korean threat actors, specifically ones whose goal is to make a profit by targeting cryptocurrency firms.

Mandiant has confirmed that a North Korean threat actor, one that it tracks as UNC4736, which appears to be linked to the financially motivated operation dubbed AppleJeus, is behind the attack. 

Interestingly, Google reported in March 2022 that the Trading Technologies website had been compromised by North Korean threat actors as part of operation AppleJeus and set up to serve malware. 

It’s unclear exactly when 3CX’s systems became compromised. Earlier third-party reports estimated that the breach occurred sometime in the fall of 2022, but the new information suggests that it may have been much earlier.

Google’s security researchers saw the Trading Technologies website serving malware in February 2022, and 3CX said that the first unauthorized access to its network, via a VPN, occurred two days after the employee’s credentials were obtained by the hackers. 

“Cascading software supply chain compromises demonstrate that North Korean operators can exploit network access in creative ways to develop and distribute malware, and move between target networks while conducting operations aligned with North Korea’s interests.,” Mandiant said.

Both Mandiant and 3CX have made available additional indicators of compromise (IoCs) that were uncovered during the investigation. 

SecurityWeek has compiled a list of information and tools that can be useful to defenders. Also check out our additional coverage of the 3CX supply chain hack.  

Related: Mandiant Catches Another North Korean Gov Hacker Group

Related: UN Experts: North Korean Hackers Stole Record Virtual Assets

Related: North Korean APT Expands Its Attack Repertoire