In what is described as the first known supply chain attack caused by another supply chain attack, leading security firm Mandiant is reporting that the recent breach of 3CX was caused by an earlier breach of futures trading platform Trading Technologies.
It is not clear why an employee of 3CX would have downloaded a piece of outdated trading software on the company’s internal network, but that appears to have been the source of the breach. Trading Technologies and 3CX have no business relationship or even any known contacts, and the trading software in question was deprecated in early 2020.
Double supply chain attack began with an odd piece of software
Trading Technologies is still in business, but the compromised piece of software (X_TRADER) had support discontinued in April 2020. However, a legacy download remained available at the Trading Technologies website until at least some point in 2022. It is not known exactly when this download was compromised, but a signed certificate used to insert the malware was slated to expire in October 2022. Mandiant believes that the 3CX employee downloaded the tainted software in April 2022.
Trading Technologies did not appear to be aware that this old download lingering on their website had been compromised by attackers. Once executed, the X_TRADER download would initiate a multi-stage piece of malware called VEILEDSIGNAL that targets Windows systems.
Mandiant has echoed earlier reporting that state-backed North Korean hackers, likely subsets of the central Lazarus hacking team, were ultimately behind the supply chain attacks. Mandiant specifically names a group referred to as “AppleJeus” as being directly involved, a squad that has been known to focus solely on stealing cryptocurrency. This also tracks with prior reporting that the 3CX hackers had combed through company clients specifically looking for those with some sort of crypto holdings.
While Trading Technologies was unwittingly hosting a malware download, the company was aware that it had been breached by North Korean hackers in early 2022. Google’s Threat Analysis Group has published a report that confirms the trading outfit was breached in February of that year. That breach is listed as having lasted for two days, so it is possible that the company swept the site for malware embedded in its files but missed this one deprecated download that was assumed to no longer be of public interest. If that is the case, the crypto-focused state-backed hackers may not have encountered a target worth moving on until a 3CX employee somehow downloaded it and deployed it on the company network. But it is also possible that they are lying in wait on other systems, as it is not uncommon for state-backed advanced persistent threat groups to have dwell times of months or even years.
Chris Hickman, CSO of Keyfactor, notes that code signing is an underlooked avenue of exploitation that was a key part of this attack chain: “In our software-driven world, trust is everything. To establish trust, developers and their organizations use a code signing certificate to prove the authenticity of a piece of software and guarantee that it comes from a legitimate source that hasn’t been tampered with. This in turn protects against attempts from third parties to alter any code, lets users know they can trust the software with their information, and creates a chain of trust for a smooth user experience. However, the assurance that code signing signature offers is only as strong as the security used to both issue and store that certificate.”
“A typical use case for a code signing certificate includes issuing software for installation publicly – like what happened in the case of 3CX. Hackers can get malicious code if they can get into a developer workstation that has open access to the code signing certificate. Once that happens, the hackers can simply submit their software for signature and release. One of the most common challenges in protecting code signing certificates is a lack of visibility into and control over signing processes. Introducing technology that can centralize visibility and control to make it easy for the security team to audit everything when combined with using a secure storage mechanism like an HSM, can go a long way toward easing this challenge,” added Hickman.
Supply chain attacks now reproducing themselves
Mandiant chief technology officer Charles Carmakal said that this is the first time his firm has seen one supply chain attack used as the launchpad for another one, though Trading Technologies says that it is still investigating and it has not yet confirmed the details of the attack.
3CX has released a tool that helps clients to determine if they were breached in the supply chain attack, and has advised them to switch from the Electron desktop client to the progressive web application (PWA) Web Client App. It is still unknown how many 3CX customers were breached in this incident, and some security analysts believe that some may be compromised and not yet aware of it. 3CX has about 600,000 clients across the world, including some very high-profile customers, but only about 250,000 of those have the internet-connected telephony systems that are most likely impacted by this incident.
A number of recent studies have found that supply chain attacks are a hot segment of cyber crime, are sharply on the increase, and are now the leading source of data compromise. A recent study from the Identity Theft Resource Center found that the total number of victims was up 41.5% in 2022, but that data breach disclosures related to these attacks are becoming slower and more vague even as the threat increases. As larger organizations that have the IT resources and budgets to lock down their security become harder targets, criminals are increasingly looking at smaller suppliers that have some sort of privileged access to these systems.
The most famous and far-reaching examples of the supply chain attack, SolarWinds and Kaseya, took place from late 2020 to mid-2021 and served as a bellwether of criminal interest in the approach, particularly among the most advanced nation-state hacking groups. When advanced persistent threat groups breach an “upstream” supplier in this way, they are generally very selective about “downstream” targets and attempt to maximize dwell time and whatever value they are seeking (be it secrets or stolen funds).
James McQuiggan, security awareness advocate at KnowBe4, fully expects this trend to continue as smaller outfits struggle to keep pace in terms of security spending with many of the larger companies they service: “Companies continue to suffer data breaches due to a weakness in their third-party vendor’s access and security culture. Cybercriminals continue to target smaller organizations that service and support larger organizations in the hopes of infiltrating and planting malicious code in a software update or other trusted software from the target in the hopes of more significant attacks and more data breaches across all industries.”
“Organizations should continue to audit and evaluate their supply chain’s cybersecurity programs and culture and take the necessary measures to protect their sensitive data. By implementing robust cybersecurity criteria and facilitating collaboration, organizations must mitigate the risk of future attacks and protect their critical assets and data. As the cybersecurity landscape evolves, remaining vigilant and continually adapting to new threats will be crucial in maintaining a dependable defense against cybercriminals,” advised McQuiggan.