3CX’s supply chain attack was caused by… another supply chain attack

The incident responders investigating how hackers carried out a fancy supply-chain assault focusing on enterprise telephone supplier 3CX say the corporate was compromised by one other provide chain assault.

3CX, which develops a software-based telephone system utilized by greater than 600,000 organizations worldwide with greater than 12 million energetic day by day customers, labored with cybersecurity firm Mandiant to research the incident. In its report launched on Thursday, Mandiant mentioned that attackers compromised 3CX utilizing a malware-laced model of the X_Trader monetary software program, developed by Buying and selling Applied sciences.

X_Trader was a platform utilized by merchants to view real-time and historic markets, which Buying and selling Applied sciences phased out in 2020, however Mandiant says was nonetheless accessible to obtain from the corporate’s web site in 2022.

Mandiant mentioned it suspects the Buying and selling Applied sciences web site was compromised by a gaggle of North Korea state-backed hackers, which it refers to as UNC4736.

That is backed up by a report from Google’s Menace Evaluation Group from final 12 months, which confirmed that Buying and selling Applied sciences’ web site was compromised in February 2022 as a part of a North Korean operation focusing on dozens of cryptocurrency and fintech customers. U.S. cybersecurity company CISA says the hacking group has used its customized “AppleJeus” malware to steal cryptocurrency from victims in over 30 nations.

Mandiant’s investigation discovered {that a} 3CX worker downloaded a tainted model of the X_Trader software program in April 2022 from Buying and selling Applied sciences’ web site, which the hackers had digitally signed with the corporate’s then-valid code-signing certificates to make it look as if it was reputable.

As soon as put in, the software program planted a backdoor on the worker’s gadget, giving the attackers full entry to the compromised system. This entry was then used to maneuver laterally by 3CX’s community and, ultimately, to compromise 3CX’s flagship desktop telephone app to plant information-stealing malware inside their prospects’ company networks.

“That is notable to us as a result of that is the primary time we’ve ever discovered concrete proof of a software program provide chain assault main to a different provide chain assault,” mentioned Mandiant’s chief know-how officer Charles Carmakal. “This collection of coupled supply-chain assaults simply illustrates the growing cyber offensive cyber functionality by North Korean risk actors.”

Mandiant says it notified Buying and selling Applied sciences concerning the compromise on April 11 however says it’s not identified what number of customers are affected.

Buying and selling Applied sciences spokesperson Ellen Resnick advised TechCrunch that the corporate has not but verified Mandiant’s findings, and reiterated that it stopped supporting the software program in 2020.

Mandiant’s Carmakel added that it’s possible “many extra victims” associated to the 2 supply-chain assaults will develop into identified within the coming weeks and months.