Mandiant: 3CX supply-chain attack began with another supply-chain attack

A suspected North Korean supply-chain attack on clients of the enterprise phone company 3CX began with another supply-chain attack via a third party, according to a new report by cybersecurity firm Mandiant.

In a blog post published Thursday, Mandiant reported that the initial compromise of 3CX’s network came “via malicious software” downloaded from the website of the software company Trading Technologies.

Mandiant said the incident was the first time it has seen a software supply-chain attack — when a threat actor compromises a victim’s network by gaining access to a trusted third party that is already present in the network — to another software supply-chain attack.

In this instance, the hackers used their access to a Trading Technologies product to gain access to 3CX’s network, where they then modified desktop apps so they could compromise the networks of 3CX’s clients and customers.

Trading Technologies provides a platform for users to trade financial instruments, including “futures, options, cryptocurrencies and more,” according to its website.

A spokesperson for the company told The Record: “Given that this only came to our attention last week, we have not had the ability to verify the assertions in Mandiant’s report.”

They said they could state “with certainty” that 3CX is “not a vendor or a customer of Trading Technologies” and that there is no business relationship between the companies.

“We have no idea why an employee of 3CX would have downloaded X_TRADER,” the spokesperson said, adding that the specific software referenced in Mandiant’s report “was a professional trading software package for institutional derivatives trading that was decommissioned in April 2020.”

“Our clients received multiple communications over the 18-month sunset period notifying them that we would no longer support or service X_TRADER beyond April 2020. There was no reason for anyone to download the software given that TT stopped hosting, supporting and servicing X_TRADER after early 2020,” they said.

“We would also emphasize that this incident is completely unrelated to the current TT platform,” the company’s spokesperson added.

3CX, which says it provides office phone systems to more than 600,000 companies globally, confirmed last month that suspected state-sponsored hackers had compromised its desktop apps for Windows and MacOS and bundled them with malware.

Earlier this month 3CX’s Chief Information Security Officer Pierre Jourdan, shared the interim assessment of the incident provided by Mandiant, attributing the hack to an entity Mandiant tracks as UNC4736 and assessing “with high confidence” a “North Korean nexus.”

Mandiant repeated this assessment on Thursday, saying UNC4736 “demonstrates varying degrees of overlap with multiple North Korean operators tracked by Mandiant Intelligence, especially with those involved in financially-motivated cybercrime operations.”

Cybersecurity firm CrowdStrike, which did not provide incident response services to 3CX, was the first to report that there was “suspected nation-state involvement” in the attack.

It attributed the 3CX breach to a group it calls Labyrinth Chollima and describes as “one of the most prolific” hacking groups based in North Korea. Other researchers refer to it as the Lazarus Group.

More evidence emerged supporting this attribution when Sophos said a tool the attacker used had previously been seen in incidents attributed to Lazarus — a financially motivated hacking organization that the FBI has linked to multiple cyber heists and allegedly is sponsored by the North Korean government.

“The code in this incident is a byte-to-byte match to those previous samples,” said Sophos in an updated blog post on the incident.

Cybersecurity experts fear that thousands of organizations could have been affected, including some of the largest companies and government agencies in the world.

The NHS has issued a cyber alert with a "High" severity ranking warning about the active intrusion campaign, telling healthcare organizations that “legitimate versions of 3CX DesktopApp have been compromised and are being actively exploited.