An employee who downloaded an infected application onto their own PC is being blamed for last month’s compromise of the 3CX VoIP desktop client.
In a report issued today, 3CX said the results of an investigation by Mandiant showed the incident started last year, when a 3CX employee downloaded and installed an infected version of Trading Technologies’ X_Trader software onto their personal computer.
Although the X_Trader installation software came from the Trading Technologies website, it contained malware called VeiledSignal that enabled the threat actor — which Mandiant calls UNC4736 and is believed to be linked to North Korea — to initially compromise and maintain persistence on the employee’s personal computer.
That installer was digitally signed by a valid code signing certificate with the subject of “Trading Technologies International, Inc”. While the X_Trader software was reportedly retired in 2020 by Trading Technologies, the software was still available for download on the company’s website. The code signing certificate used to digitally sign the malicious software was set to expire in October 2022.
Following the initial compromise of the employee’s personal computer using VeiledSignal malware, the threat actor stole the employee’s 3CX corporate credentials from his system and went on to compromise both the Windows and macOS build environments of the 3CX app.
In short, a supply chain compromise of the trading app led to the supply chain compromise of the 3CX app. Both had legitimately signed certificates.
VeiledSignal, Mandiant said, is a fully-featured malware that provided the threat actor with administrator-level access and persistence to the compromised system.
The earliest evidence of compromise uncovered within the 3CX corporate environment occurred through the VPN, using the employee’s corporate credentials, two days after the employee’s personal computer was compromised.
The attacker used the Fast Reverse Proxy tool to move laterally through the 3CX environment, harvesting credentials along the way. Eventually the threat actor was able to compromise both the Windows and macOS 3CX build environments. On the Windows build environment, Mandiant said, the attacker deployed the Taxhaul launcher and ColdCat downloader, which persisted by performing DLL hijacking for the Ikeext service and ran with LocalSystem privileges. The macOS build server was compromised using a PoolRat backdoor using LaunchDaemons as a persistence mechanism.
At the same time as it released this report, 3CX also published a seven-step action plan to beef up its security. It includes hardening network security, revamping application build security, identifying product vulnerabilities, performing ongoing penetration tests and establishing a new department for network operations and security.
“The fact that we’re seeing software supply chain attacks as the root cause of another, as seen in the ongoing 3CX incident, should raise alarm bells about the ripple effect of poor software supply chain management,” said Ilkka Turunen, field CTO of Sonatype. “Not only are we seeing poisoning of commercial software, threat actors are also employing increasingly sophisticated ways to abuse open source ecosystems like GitHub to host seemingly benign files – which raise no obvious red flags and are initially cleared by most antivirus products but open the window for infiltration in minutes.
“This isn’t just 3CX’s or Trading Technologies’ problem – the buck stops with each and every organization today to employ security and monitoring tools to proactively safeguard their software supply chains before any threats enter them.
“It’s important to emphasize that software supply chain attacks have gone up 742 per cent over the past three years,” he added. “Open source repos in particular are going to be an attractive target to adversaries, because any system that’s open to the public is open to them too. Every organization needs a proactive strategy to defend against this type of attack, as they will continue to happen.”