According to Mandiant, the recent breach of VoIP giant 3CX was the result of a much earlier supply chain attack on a futures trading platform.
A breach of Trading Technologies by North Korean state-backed hackers, which took place in early 2022, left a piece of compromised software on the public-facing network that was then downloaded and run by someone within 3CX. It is not clear exactly how this unfolded (or why the employee was downloading outdated trading software at work), but the hackers likely had access to 3CX from mid-2022 and the development has raised even greater concerns among the company’s numerous downstream clients.
First instance of one supply chain attack causing another, according to Mandiant
The information comes from a Mandiant report, which suggests that the security outfit has never before seen one supply chain attack be directly leveraged into another in this way. The issue should not impact Trading Technologies customers if they are using a modern version of the company’s software products, but 3CX customers should use a tool released by that company to determine if they have been breached. 3CX has also advised customers to stop using the Electron desktop client for the time being and move to the PWA Web Client app. At least 250,000 3CX clients are using products that may have been impacted by the incident.
Supply chain attacks are an increasingly common route by which individuals lose personal data, and this incident illustrates how a breach at one company can end up exposing data at any number of seemingly unrelated companies if the dominos fall just the right way. The compromise of just one employee can end up making its way to a service provider with thousands of downstream clients.
Outdated trading software, seemingly forgotten on company website, sparked 3CX breach
While Trading Technologies is still an active developer of trading software, an old product called X_TRADER was the source of the problem. X_TRADER was discontinued in April 2020 but remained available for download in 2022. That is when someone at 3CX seemingly encountered it, running the malware-laced software on the company network.
North Korean hackers are believed to have compromised Trading Technologies back in February 2022, and the tainted X_TRADER download seems to have been a piece of detritus left over from that incident that was never cleaned up. The 3CX employee came along to download it just about two months later.
As investigations continue, it is still unclear how far the 3CX supply chain attack reaches into the systems of its clients. It is known that the hackers were focused on stealing cryptocurrency, and prioritized clients that they believed might have crypto wallets on hand. The rogue X_TRADER software may also yet pop up somewhere else, and is something that all organizations should scan their internal assets for. It should also be a prompt to scan for outdated or misplaced code signing certificates, a key element that made the initial Trading Technologies step of the supply chain attack possible.