Software Maker 3CX Was Compromised in First-of-its-Kind Threaded Supply-Chain Hack - Updated
Hackers first compromised a different software maker and embedded malware in one of its programs. 3CX got compromised when a worker downloaded that program. It's not known why worker downloaded it.
Nearly three years ago the hack of SolarWinds set a new milestone in how attackers conduct supply-chain hacks to distribute malware. That operation involved hackers from Russia compromising SolarWinds’ build server — a method not seen before — to embed a backdoor in the company’s software to infect its customers.
Now the security firm Mandiant says a new milestone in supply-chain attacks has been set. It says 3CX — whose software was recently compromised by hackers to infect 3CX customers — was itself hacked through infected software that a 3CX employee downloaded from the web site of trading software company, Trading Technologies, last year.
“This is the first time that we’ve ever found concrete evidence of a software supply-chain attack leading to another software supply-chain attack,” Charles Carmakal, CTO of Mandiant’s consulting group, said in a call with reporters yesterday before publicly announcing the news this morning. “This is very big and very significant to us.”
It’s not clear yet how widespread the hacking campaign is, but the daisy-chain nature of the breach demonstrates the potential for attackers to conduct threaded supply-chain hacks that string infections through several software suppliers — each one leading to a compromise of another software maker and their customers.
Mandiant, which investigated the breach of 3CX and has provided technical details in a blog post, attributes the operation to financially-motivated North Korean state-sponsored hackers that Mandiant calls UNC4736.
The telephony company 3CX makes a popular VoIP software — Electron Desktop Application — for live chat, video conferencing and voice calls that is used by more than 600,000 organizations in 190 countries. Among its customers are AirFrance, American Express, BMW, ClubMed, Holiday Inn, McDonald’s, Toyota, and the National Health Service in the UK.
On March 30th, the company revealed that several versions of its VoIP application had been compromised with malicious code that got distributed to customers. The issue was caught fairly quickly after security firms began detecting malware on the machines of 3CX customers, but an investigation revealed that the breach didn’t begin with 3CX. (I’ve put together a timeline here.)
The daisy-chain attack appears to have begun in 2021 when the hackers first compromised Trading Technologies and slipped a malicious backdoor into versions of the company’s X_Trader software program. Carmakal says he doesn’t know exactly when the hackers breached Trader Technologies, but in November 2021 they signed a tainted version of X_Trader with Trading Technologies’ digital certificate, suggesting that the breach began before this. The tainted X_Trader software was posted to the Trading Technologies web site in November 2021 and remained there for nearly a year.
Three months later, in February 2022, Google’s Threat Analysis Group (TAG), discovered that North Korean hackers had compromised Trading Technologies' web site — www.tradingtechnologies[.]com — and planted hidden exploit code on it to infect visitors to the site. The TAG team evidently was unaware that at the same time the site was also serving tainted versions of the X_Trader software to anyone who downloaded that program.
Although Trading Technologies had discontinued developing and distributing the X_TRADER software in April 2020, the software was available on the company’s web site in 2022 when the 3CX employee downloaded and installed it on his personal computer. Mandiant doesn’t know exactly when the employee downloaded the program or why they downloaded it.
3CX did not respond to an inquiry from Zero Day.
The tainted software installed a backdoor on the employee’s computer, giving the attackers full administrator and system-level rights over the system. The hackers then stole the employee’s work credentials, which gave them administrator-level access to 3CX’s system as well.
Once on the 3CX network, they accessed two build servers the company uses for compiling and signing Windows and MacOS versions of their software and slipped their backdoor into various versions of the 3CX application, which customers began downloading in March. Carmakal says his team doesn’t know how many 3CX customers downloaded the tainted software.
After the backdoor got installed on customer machines, the hackers used it to communicate with those systems and decide which ones they wanted to hack further. They then installed additional malware on victims they wanted to target. So far the only victims publicly identified who got additional malware are cryptocurrency firms — companies that could potentially provide the attackers with financial gains. . There’s currently no evidence, however, that the hackers actually stole cryptocurrency from these victims before the campaign was discovered.
“We haven’t seen direct monetization of these intrusions [yet],” says Ben Read, head of Mandiant Cyber Espionage.
Carmakal says they expect “many more victims” will be discovered among the customers of Trading Technologies and 3CX, now that news of the compromised software programs is public. But it’s not clear if anyone other than the 3CX employee downloaded the tainted X_Trader software.
Mandiant informed Trading Technologies on April 11 that its X_Trader software had been compromised, but the software maker says it has not had time to investigate and verify Mandiant’s assertions.
A company spokesperson hit back at Mandiant’s characterization of the compromise as a supply-chain attack.
Trading Technologies was not a supplier of software to 3CX — the two companies have no relationship to one another, the spokesperson said — and the X_Trader software had been decommissioned in April 2020, a year before the hackers allegedly embedded malware in it and two years before the 3CX employee downloaded the tainted software. The company hadn’t released new versions of the software since that time and had stopped providing support for the product, making it a less-than-ideal vector for the North Korean hackers to infect customers.
"The X_TRADER software … was a professional trading software package for institutional derivatives trading,” the spokesperson wrote in an email. “Our clients received multiple communications over the 18-month sunset period notifying them that we would no longer support or service X_TRADER beyond April 2020. There was no reason for anyone to download the software given that TT stopped hosting, supporting and servicing X_TRADER after early 2020.”
What’s more, the company told Zero Day, X_Trader was a “very niche” software that was part of a professional platform used by banks and their clients for futures-trading. It required a Trading Technologies account to use it, and there were no retail customers of the product even before it was de-commissioned in 2020.
As for the 3CX employee who downloaded it, Trading Technologies’ spokesperson said there was no logical reason for them to have obtained the software — either for work or personal use.
“We have no idea why an employee of 3CX would have downloaded X_TRADER,” she wrote.
Symantec, revealed on Friday after this story published, that at least two critical infrastructure organizations in the energy sector — one in the US and one in Europe — were also infected with the compromised X-Trader software. And two organizations involved in financial trading were infected as well.
All four of them were compromised with the software between September and November 2022, according to Vikram Thakur, technical director at Broadcom Software, Symantec’s parent company. Symantec only has telemetry data from its security software indicating that the malware was found on the systems of these organizations, but the company does not know if the hackers did anything inside those networks after they were infected.
But Trading Technologies said late Friday evening that the tainted software was available on their site from November 2021 to August 2022, which contradicts the timeline Symantec provided. It’s possible, however, that the Symantec customers who got infected didn’t immediately install the software after they downloaded it, which would explain why Symantec says they were infected after August.
Asked if they had determined how many people downloaded the tainted software, a company spokesperson wrote that “fewer than 100 individuals downloaded the compromised X_TRADER package” and they did so between November 1, 2021 and July 26, 2022. The company later told Zero Day that the confirmed number of individuals who downloaded the tainted software is 97.
All of those individuals have been notified and advised not to open the software if they haven’t done so already and to delete it immediately, the company said, noting that the investigation is ongoing.
Trading Technologies maintains a separate product that it hosts from its network but says that product was not compromised. The company also said the digital certificate used to sign the compromised X_Trader software was not used to sign any other product. The certificate has since expired but as of this week had not yet been revoked.
It’s not clear how the company’s build infrastructure was able to compile and sign a discontinued software product without anyone noticing.
The spokesperson said it will take time to conduct a full investigation because after the company de-commissioned the software in 2020, they “literally turned off everything that was running it…. It’s not as though we have the ability to go and look at servers now and see what’s happened. It’s an extreme challenge to us."
Update 4.21.23 11 am PST: Story has been updated to add new information from Symantec about new victims infected with the X_Trader software and to provide a statement from Mandiant.
Update 8 pm PST: To add comment from Trading Technologies about the number of people who downloaded the tainted software and the months that it was available on the company’s web site.
Update 4.20.23: This story has been updated to clarify how much time passed between the time Trader Technologies de-commissioned the X_Trader software and the time the hackers embedded their malware in the program.
Related coverage:
Hackers Last Year Conducted a ‘Dry Run’ of SolarWinds Breach
SolarWinds Hack Infected Critical Infrastructure
Government Monitoring Won’t Stop the Next SolarWinds Campaign, Experts Say
Mind the Gap: How the NSA Might Use SolarWinds Campaign to do Warrantless Spying
If you found this article useful or interesting, feel free to share it with others.
If you’d like to receive future articles directly to your email in-box, you can subscribe for free or become a paid subscriber to help support my work if you find it valuable:
Or if you’d like to give a gift subscription to someone else: