3CX’s supply chain attack was caused by… another supply chain attack

November 8, 2023

3CX’s supply chain attack was caused by… another supply chain attack

The incident responders investigating how hackers carried out a complex supply-chain attack targeting enterprise phone provider 3CX say the company was compromised by another supply chain attack.

3CX, which develops a software-based phone system used by over 600,000 organizations worldwide with more than 12 million active daily users, worked with cybersecurity company Mandiant to investigate the incident. In its report released on Thursday, Mandiant said that attackers compromised 3CX using a malware-laced version of the X_Trader financial software, developed by Trading Technologies.

X_Trader was a platform used by traders to view real-time and historical markets, which Trading Technologies phased out in 2020, but Mandiant says was still available to download from the company’s website in 2022.

Mandiant said it suspects the Trading Technologies website was compromised by a group of North Korea state-backed hackers, which it refers to as UNC4736.

This is backed up by a report from Google’s Threat Analysis Group from last year, which confirmed that Trading Technologies’ website was compromised in February 2022 as part of a North Korean operation targeting dozens of cryptocurrency and fintech users. U.S. cybersecurity agency CISA says the hacking group has used its custom “AppleJeus” malware to steal cryptocurrency from victims in over 30 countries.

Mandiant’s investigation found that a 3CX employee downloaded a tainted version of the X_Trader software in April 2022 from Trading Technologies’ website, which the hackers had digitally signed with the company’s then-valid code signing certificate to make it look as if it was legitimate.

Once installed, the software planted a backdoor on the employee’s device, giving the attackers full access to the compromised system. This access was then used to move laterally through 3CX’s network and, eventually, to compromise 3CX’s flagship desktop phone app to plant information-stealing malware inside their customers’ corporate networks.

“This is notable to us because this is the first time we’ve ever found concrete evidence of a software supply chain attack leading to another supply chain attack,” said Mandiant’s chief technology officer Charles Carmakal. “This series of coupled supply-chain attacks just illustrates the increasing cyber offensive cyber capability by North Korean threat actors.”

Mandiant says it notified Trading Technologies about the compromise on April 11 but says it’s not known how many users are affected.

Trading Technologies spokesperson Ellen Resnick told TechCrunch that the company has not yet verified Mandiant’s findings, and reiterated that it stopped supporting the software in 2020.

Mandiant’s Carmakel added that it’s likely “many more victims” related to the two supply-chain attacks will become known in the coming weeks and months.

Source: techcrunch

Original link: https://techcrunch.com/2023/04/20/3cx-supply-chain-xtrader-mandiant/


Privacy Compliance

CJEU confirms that competitors can sue each other for GDPR infringements 

CJEU confirms that competitors can sue each other for GDPR infringements  A German pharmacy sued another pharmacy for failing to guarantee explicit consent when processing the health data of the clients as prescribed under GDPR. The German Court held that such activity does amount to unfair and unlawful practice. However, the Court was unsure whether […]

Learn more

Privacy Compliance

EDPB’s Guidelines on Legitimate Intesrest

EDPB’s Guidelines on Legitimate Intesrest Recently, the European Data Protection Board (“EDPB”) adopted Guidelines 01/2024 on processing of personal data based on Article 6(1)(f) GDPR (processing based on legitimate interest). Legitimate interest is one of the lawful grounds on which personal data can be processed. Its flexible nature makes it quite hard to actually apply […]

Learn more

Privacy Compliance

Can data subjects be data controllers?

Can data subjects be data controllers? With the rise of AI trained on user data, the question of whether data subjects be considered data controllers for the personal data in their AI prompts and outputs has once again taken the spotlight. This is not a new issue, the possibility of the data subjects acting as […]

Learn more