3CX’s supply chain attack was caused by… another supply chain attack

The incident responders investigating how hackers carried out a complex supply-chain attack targeting enterprise phone provider 3CX say the company was compromised by another supply chain attack.

3CX, which develops a software-based phone system used by over 600,000 organizations worldwide with more than 12 million active daily users, worked with cybersecurity company Mandiant to investigate the incident. In its report released on Thursday, Mandiant said that attackers compromised 3CX using a malware-laced version of the X_Trader financial software, developed by Trading Technologies.

X_Trader was a platform used by traders to view real-time and historical markets, which Trading Technologies phased out in 2020, but Mandiant says was still available to download from the company’s website in 2022.

Mandiant said it suspects the Trading Technologies website was compromised by a group of North Korea state-backed hackers, which it refers to as UNC4736.

This is backed up by a report from Google’s Threat Analysis Group from last year, which confirmed that Trading Technologies’ website was compromised in February 2022 as part of a North Korean operation targeting dozens of cryptocurrency and fintech users. U.S. cybersecurity agency CISA says the hacking group has used its custom “AppleJeus” malware to steal cryptocurrency from victims in over 30 countries.

Mandiant’s investigation found that a 3CX employee downloaded a tainted version of the X_Trader software in April 2022 from Trading Technologies’ website, which the hackers had digitally signed with the company’s then-valid code signing certificate to make it look as if it was legitimate.

Once installed, the software planted a backdoor on the employee’s device, giving the attackers full access to the compromised system. This access was then used to move laterally through 3CX’s network and, eventually, to compromise 3CX’s flagship desktop phone app to plant information-stealing malware inside their customers’ corporate networks.

“This is notable to us because this is the first time we’ve ever found concrete evidence of a software supply chain attack leading to another supply chain attack,” said Mandiant’s chief technology officer Charles Carmakal. “This series of coupled supply-chain attacks just illustrates the increasing cyber offensive cyber capability by North Korean threat actors.”

Mandiant says it notified Trading Technologies about the compromise on April 11 but says it’s not known how many users are affected.

Trading Technologies spokesperson Ellen Resnick told TechCrunch that the company has not yet verified Mandiant’s findings, and reiterated that it stopped supporting the software in 2020.

Mandiant’s Carmakel added that it’s likely “many more victims” related to the two supply-chain attacks will become known in the coming weeks and months.

3CX’s supply chain attack was caused by… another supply chain attack by Carly Page originally published on TechCrunch

3CX blames North Korea for supply chain mass-hack

Enterprise phone provider 3CX has confirmed that North Korea-backed hackers were behind last month’s supply chain attack that appeared to target cryptocurrency companies.

3CX, which provides online voice, video conferencing and messaging services for businesses, worked with cybersecurity company Mandiant to investigate the attack. Hackers compromised the company’s desktop phone software used by hundreds of thousands of organizations to plant information-stealing malware inside their customers’ corporate networks.

3CX chief information security officer Pierre Jourdan said on Tuesday that their investigation confirms that hackers linked to the North Korean regime were behind the attack.

“Based on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far, they attribute the activity to a cluster named UNC4736,” Jourdan said. “Mandiant assesses with high confidence that UNC4736 has a North Korean nexus.”

Cybersecurity giant CrowdStrike last week linked the 3CX breach to hackers it calls Labyrinth Chollima, a subunit of the notorious Lazarus Group, which is known for stealthy hacks targeting cryptocurrency exchanges to fund its nuclear weapons program. Russia-based Kaspersky Lab also attributed the 3CX breach to North Korea.

Kaspersky said in its analysis of the attack that the hackers were seen deploying a backdoor, which it has named “Gopuram,” onto infected systems, noting that the attackers have “a specific interest in cryptocurrency companies.” Kaspersky added that Gopuram was deployed on less than ten machines, indicating that the attackers used this backdoor with “surgical precision.”

In a forum post last week, 3CX CEO Nick Galea said that the company is only aware of “a handful of cases” where malware has been triggered. However, the impact of the attack, along with how 3CX was compromised, remains unknown. 3CX claims to have over 600,000 business customers worldwide and more than 12 million active daily users.

3CX blames North Korea for supply chain mass-hack by Carly Page originally published on TechCrunch

There’s a new supply chain attack targeting customers of a phone system with 12 million users

Multiple security firms have sounded the alarm about an active supply chain attack that’s using a trojanized version of 3CX’s widely-used voice and video-calling client to target downstream customers. 

3CX is the developer of a software-based phone system used by more than 600,000 organizations worldwide, including American Express, BMW, McDonald’s and the U.K.’s National Health Service. The company claims to have more than 12 million daily users around the world. 

Researchers from cybersecurity companies CrowdStrike, Sophos and SentinelOne on Wednesday published blog posts detailing a SolarWinds-style attack – dubbed “Smooth Operator” by SentinelOne – that involves the delivery of trojanized 3CXDesktopApp installers to install infostealer malware inside corporate networks.

This malware is capable of harvesting system information and stealing data and stored credentials from Google Chrome, Microsoft Edge, Brave, and Firefox user profiles. Other observed malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, “hands-on-keyboard activity,” according to CrowdStrike.

Security researchers report that attackers are targeting both the Windows and macOS versions of the compromised VoIP app. At present, it appears the Linux, iOS and Android versions are unaffected. 

Researchers at SentinelOne said they first saw indications of malicious activity on March 22 and immediately investigated the anomalies, which led to the discovery that some organizations were trying to install a trojanized version of the 3CX desktop app that had been signed with a valid digital certificate. Apple security expert Patrick Wardle also found that Apple had notarized the malware, which means that the company checked it for malware and none was detected. 

3CX CISO Pierre Jourdan said on Thursday that the company is aware of a “security issue” impacting its Windows and MacBook applications. 

Jourdan notes that this appears to have been a “targeted attack from an Advanced Persistent Threat, perhaps even state-sponsored” hacker. CrowdStrike suggests that North Korean threat actor Labyrinth Chollima, a subgroup of the notorious Lazarus Group, is behind the supply-chain attack.  

As a workaround, 3CX company is urging its customers to uninstall the app and install it again, or alternatively use its PWA client. “In the meantime we apologize profusely for what occurred and we will do everything in our power to make up for this error,” Jourdan said.

There are a lot of things we don’t yet know about the 3CX supply-chain attack, including how many organizations have potentially been compromised. According to Shodan.io, a site that maps internet-connected devices, there are currently more than 240,000 publicly exposed 3CX phone management systems.

There’s a new supply chain attack targeting customers of a phone system with 12 million users by Carly Page originally published on TechCrunch