Prominent cyberattack investigator Mandiant disclosed findings Thursday that suggest the 3CX supply chain compromise had an unprecedented cause: A prior software supply chain attack.
The compromise in March of 3CX, a widely used communications software maker, has resembled some of the biggest cyberattacks to date, including the SolarWinds supply chain attack of 2020.
However, it now appears that the 3CX attack stands out even from the SolarWinds compromise, at least in one major respect. In a post Thursday, Mandiant said the 3CX campaign was made possible by an earlier supply chain attack, which had tampered with a software package distributed by a financial software firm, Trading Technologies.
“This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,” the incident response and threat intelligence firm, owned by Google Cloud, said in the post.
According to the Mandiant findings, 3CX was compromised after one of its employees downloaded Trading Technologies’ “X_TRADER” software in April of 2022. The installer for the software had been tampered with by a malicious actor, Mandiant said.
3CX, which had hired Mandiant to assist with the investigation, specified in its own postThursday that the employee installed the tainted software on their personal computer.
After the installation of the malicious software, “Mandiant determined that a complex loading process led to the deployment of VEILEDSIGNAL, a multi-stage modular backdoor, and its modules,” the firm said.
3CX, whose communications software includes the VoIP phone system app targeted in the attack, has said that its customer base totals more than 600,000 organizations, with sales exclusively through its network of 25,000 partners. Major customers listed by 3CX include American Express, McDonald’s, Coca-Cola, NHS, Toyota, BMW and Honda.
CrowdStrike previously attributed the 3CX compromise to a North Korea-affiliated group that it calls Labyrinth Chollima, and 3CX had subsequently shared that Mandiant was attributing the attack to North Korea. In its post Thursday, Mandiant pinned the attack on UNC4736, which the firm called “a suspected North Korean nexus cluster of activity.”
Nick Galea, founder and CEO of 3CX, said in a post Thursday that the company is committing to a seven-step program to “harden our systems and minimize our risk of future attacks,” in the wake of the “first-of-a-kind, cascading software-in-software supply chain attack.”
Galea previously disclosed that it’s probable hundreds of thousands of customers did actually download the malicious version of the vendor’s VoIP phone system software.
However, researchers have noted that the 3CX compromise was caught in weeks rather than months — as had been the case with the SolarWinds supply chain breach — which appears to have limited the impact from the attack on 3CX and its end customers.