3CX hack highlights risk of cascading software supply-chain compromises

At the end of March, an international VoIP software company called 3CX with over 600,000 business customers suffered a serious software supply-chain compromise that resulted in both its Windows and macOS applications being poisoned with malicious code. New evidence suggests the attackers, believed to be North Korean state-sponsored hackers, gained access to the company’s network and systems as a result of a different software supply-chain attack involving a third-party application for futures trading.

“The identified software supply chain compromise is the first we are aware of which has led to a cascading software supply chain compromise,” incident responders from cybersecurity firm Mandiant, who was contracted to investigate the incident, said in a report Thursday. “It shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions as demonstrated in this investigation.”

The North Korean connection to the 3CX attack

The 3CX hack involved attackers compromising the company’s internal software build servers for Windows and macOS because of lateral movement activity through the company’s network. As a result, they were able to inject malicious libraries into versions of the 3CX Desktop App for Windows and macOS and have them be signed with the developer’s certificate during the build process. The trojanized versions were then delivered as part of the update process.

Windows versions 18.12.407 and 18.12.416 that were shipped in Update 7 were impacted, as well as macOS versions 18.11.1213 shipped with Update 6, and 18.12.402, 18.12.407 and 18.12.416 included in Update 7.

The trojanized Windows version deployed an intermediate malware downloader that Mandiant named SUDDENICON that reaches out to a GitHub repository to obtain command-and-control (C2) addresses hidden inside icon files. The downloader then contacts the C2 server and deploys an information stealer dubbed ICONICSTEALER that collects application configuration data as well as browser history.

Researchers from Kaspersky Lab reported that in some cases the attackers deployed an additional backdoor program on some 3CX victims. This backdoor is known as Gopuram and has been used in various attacks since 2020, including against cryptocurrency companies. North Korean state-sponsored hackers have been known to target cryptocurrency users and companies in recent years in what are believed to be efforts to raise money for the regime or to self-fund cyberespionage operations. Furthermore, Gopuram was found in the past on machines alongside AppleJeus, a backdoor attributed to the North Korean state-sponsored actor the Lazarus group.

Personal computer compromise lead to 3CX breach

According to the latest findings from Mandiant, the hackers gained access to 3CX’s network after one of the company’s employees installed a futures trading platform called X_TRADER from Trading Technologies on their personal computer in 2022. It turns out that this software had been trojanized with a backdoor that Mandiant now calls VEILEDSIGNAL as a part of a different software supply-chain attack.

The X_TRADER software was retired in 2020 by Trading Technologies but was still available for download from the company’s website in 2022. The trojanized version was digitally signed with a certificate belonging to Trading Technologies and set to expire in October 2022.

The VEILEDSIGNAL backdoor provided the attackers with administrator-level access to the 3CX employee’s computer and allowed them to steal his corporate credentials. Two days after the compromise, they used those credentials to connect to the company’s network via VPN and began harvesting other credentials and moving laterally through the network. During this process they deployed an open-source tool called the Fast Reverse Proxy (FRP) to maintain continued access within the network.

“Eventually, the attacker was able to compromise both the Windows and macOS build environments,” the Mandiant incident responders said in their report. “On the Windows build environment, the attacker deployed a TAXHAUL launcher and COLDCAT downloader that persisted by performing DLL side-loading through the IKEEXT service and ran with LocalSystem privileges. The macOS build server was compromised with POOLRAT backdoor using Launch Daemons as a persistence mechanism.”

The TAXHAUL, COLDCAT and POOLRAT malware programs were described in more detail in a report with initial findings on April 11. An older version of POOLRAT was documented by CISA in 2021 in an advisory about the AppleJeus operation that involved another trojanized application called CoinGoTrade.

This incident highlights the risks of employees working and accessing corporate networks from personal computers where they have administrative privileges. While the trojanized X_TRADER software might have evaded anti-malware detection regardless of whether it was a personal or a business machine, on a corporate-issued computer employees shouldn’t typically have the required privileges to install unauthorized software for personal use.

Cascading software supply-chain compromises

While this might be the first confirmed case where a supply-chain compromise led to another one, security researchers have been warning about this possibility for years and there have been suspicions that it has happened before. For example, a Chinese state-sponsored APT group known as APT41, Winnti, or Barium was responsible for a string of software supply-chain attacks that might have been connected to each other.

In 2017, the group compromised NetSarang, a company that makes server management software and managed to trojanize one of its products. Later that year the group managed to break into the development infrastructure of CCleaner, a widely popular system clean-up tool, and distributed poisoned versions of the tool to 2.2 million users. Two years later the same group broke into ASUSTeK Computer’s systems and managed to push out trojanized updates of the ASUS Live Update Utility that comes preinstalled on many Windows computers manufactured by the company. Over 2,600 systems belonging to businesses received the malicious update.

The attackers were very selective with the secondary payloads delivered to victims of the CCleaner attack. They used the CCleaner backdoor to identify interesting targets and attempted to deploy specialized malware on machines belonging to high-profile technology companies including HTC, Samsung, Sintel, Sony, Intel, Vodafone, Microsoft, VMware, O2, Epson, Akamai, D-Link, Google, and Cisco. It’s therefore possible that some of the subsequent supply chain compromises, like the ASUS one, started out with either the NetSarang or the CCleaner incidents, though this has not been confirmed.

In 2020, when US software company SolarWinds had its popular enterprise network monitoring product Orion trojanized by the Russian state-sponsored APT29 and delivered as an update to thousands of systems across hundreds of organizations and federal agencies, one of the main concerns was that it could lead to additional software supply chain compromises. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, noted at the time that, “The scale of potential access far exceeded the number of known compromises” because “many of the private sector compromises are technology companies, including networks of companies whose products could be used to launch additional intrusions.”