Supply Chain Attack Blamed for Triggering 3CX Breach, Thousands of User Accounts Compromised

According to cybersecurity company Mandiant, the recent 3CX supply chain attack, which involved the abuse of popular voice-over-internet-protocol (VOIP) software, was triggered by an earlier supply chain attack against Trading Technologies’ futures trading software.

The researchers suspect that the attackers distributed malware through Trading Technologies’ software to pave the way for the 3CX attack. The initial attack allowed the perpetrators to spread a malicious payload through 3CX and compromise thousands of user accounts.

Mandiant assisted 3CX in its investigation of the recent supply chain attack, has revealed that the malicious installer for Trading Technologies’ X_TRADER software was responsible for deploying a multi-stage modular backdoor named VEILEDSIGNAL.

The backdoor was designed to execute shellcode, inject a communication module into web browsers like Chrome, Firefox, or Edge, and terminate itself. Mandiant discovered that the attackers, tracked as UNC4736, stole corporate credentials from an employee’s personal computer and used them to move laterally through 3CX’s network, eventually breaching both the Windows and macOS build environments.

The attackers then deployed the TAXHAUL launcher and COLDCAT downloader on the Windows build environment, which persisted through DLL hijacking for the IKEEXT service and ran with LocalSystem privileges.

The cybersecurity firm has revealed that the macOS build server was compromised with the POOLRAT backdoor, which used LaunchDaemons as a persistence mechanism, and achieved persistence through DLL side-loading. The malware granted attackers remote access to all compromised devices over the internet. Mandiant has also associated UNC4736 with two clusters of APT43 suspected malicious activity, UNC3782 and UNC4469.

3CX Phone System, which has over 12 million daily users and is used by more than 600,000 businesses globally, including high-profile organizations such as McDonald’s, Coca-Cola, and American Express was compromised in a supply chain attack, according to Mandiant.

The cybersecurity firm said this was the first software supply chain compromise to have led to another software supply chain compromise, demonstrating the potential reach of this type of attack, especially when a threat actor can chain intrusions as demonstrated in this investigation.