An investigation of the 3CX supply chain attack established the breach was made possible due to a previous supply chain attack. Mandiant researchers propose that attackers initially distributed malware via software from Trading Technologies. The malware-laced software package distributed via an earlier software supply chain compromise began with a tampered installer for X_TRADER, a software package provided by Trading Technologies.
Then, a multi-signal modular backdoor, VEILEDSIGNAL, would deploy on targeted systems. 3CX was one of many victims suffering from an infection spread via the X_TRADER installer. The attackers behind the exploit are believed to be North Korean.
CrowdStrike and Sophos noted malicious activity coming from 3CX infrastructure on March 29, including beaconing to threat-actor-controlled infrastructure and “hands-on-keyboard activity.” 3CX confirmed on March 30 that it suffered a supply chain attack. Initially, the source of the attack was unknown.
Threat intelligence firm and Google Cloud subsidiary Mandiant published a blog post claiming that the original point of compromise was neither 3CX nor FFmpeg, but a malware-infested version of “X_Trader,” a defunct software package published by financial trading software vendor Trading Technologies. The blog indicated that this was the first time Mandiant observed a software supply chain attack that led to another software supply chain attack. The blog said that while the X_Trader version the employee had was discontinued in 2020, “it was still available for download from the legitimate Trading Technologies website in 2022.”
Mandiant said 3CX was initially breached through its build server and that the threat actor used a publicly available fast reverse proxy to move within the victim network. The firm attributed both the 3CX breach, and the alleged X_Trader compromise to a nation-state threat actor affiliated with North Korea, categorized as UNC4736. Further technical details are available in the blog post.
