3CX Software Supply Chain Attack: How it Started

New information has come to light regarding the 3CX supply chain attack. Mandiant, the Google Cloud-associated firm that performed after-action analysis for 3CX, found that the attack originated from an earlier supply chain attack performed on Trading Technologies Inc. The X_TRADER software package appears to be the source of the initial attack, which was then propagated down into the infected update of 3CX, which Todyl originally detected on March 22nd.

What is X_TRADER?

Reportedly discontinued in 2020, the X_TRADER software package, when run, kicked off a backdoor dubbed VEILEDSIGNAL. This, in turn, resulted in a multi-module deployment of DLLs that would implant data, write shellcode, and then self-terminate. It’s important to note the similarities of this attack to the one carried out on 3CX.

Drilling into 3CX: How it happened

Mandiant’s CTO, Charles Carmakal, reported that the attack spread to 3CX when an employee downloaded the malicious X_TRADER, which activated its backdoor and silently took over their system. It then worked its way laterally through 3CX’s network, gaining access to their Electron build environments and inserting its code into the upcoming desktop app update.

This “daisy chain”-style attack is an intriguing one in that the initial supply chain attack on Trading Tech led to an end user getting compromised, which then led to another supply chain attack on 3CX. This is the first time Mandiant has analyzed such an attack.

From Mandiant, here are the associated domains and hashes:

Domains: curvefinances[.]com; pbxphonenetwork[.]com; journalide[.]org; nxmnv[.]site; msedgepackageinfo[.]com; apollo-crypto.org.shilaerc20[.]com
Hashes: ef4ab22e565684424b4142b1294f1f4d; c6441c961dcad0fe127514a918eaabd4; 19dbffec4e359a198daf4ffca1ab9165; 451c23709ecd5a8461ad060f6346930c; 74bc2d0b6680faa1a5a76b27e5479cbc; faea2b01796b80d180399040bb69835; 0eeb1c0133eb4d571178b2d9d14ce3e9; f3d4144860ca10ba60f7ef4d176cc736; e424f4e52d21c3da1b08394b42bc0829; a3ccc48db9eabfed7245ad6e3a5b203f; 8a34adda5b981498234be921f86dfb27; 404b09def6054a281b41d309d809a428; c6441c961dcad0fe127514a918eaabd4; 6727284586ecf528240be21bb6e97f88; 00a43d64f9b5187a1e1f922b99b09b77; 451c23709ecd5a8461ad060f6346930c; 19dbffec4e359a198daf4ffca1ab9165

How Todyl addresses the attacks

From Todyl’s perspective, the tactics, techniques, and procedures (TTPs) used in the initial attack on Trading Tech were very similar to those used in the 3CX attack. The same DLL injection used in the 3CX attack applies here, as well as the SIGFLIP and SIGLOADER TTPs.

Like with the 3CX attack, the Todyl Platform detects and prevents any malicious activity associated with the attack originating from X_TRADER. We immediately threat-hunted globally and identified several cases of the X_TRADER software being used across our user base. In doing so, we found expired certificates from Trading Tech actively present on the endpoints of Todyl users. We did not, however, find any IOCs on said endpoints. Todyl MXDR has notified and is directly working with those users to remedy the issue. We have also added all associated IOCs to the Todyl platform and performed additional threat hunting to find any IP addresses, domain names, hashes, and certificates associated with the attack.

For now, the MXDR team at Todyl recommends removing this application until additional details are available to help understand the risk associated with this file. If the application is critical to business function, we suggest upgrading to the latest version available. Additionally, we recommend continuing to hunt and block IOCs related to the attack.

We will remain vigilant as any new information arises over the coming days. Our Research and Detection Engineering teams are continuing to monitor for similar IOCs are there are likely other companies impacted by these attacks.

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.