top of page

Mandiant Reveals Third-Party Software Breach as Initial Vector for 3CX Supply Chain Attack

Mandiant Consulting has announced that a recent software supply chain attack that compromised 3CX desktop application software was caused by a separate breach of a third-party stock trading application downloaded by an employee. The firm announced that an outdated and corrupted version of X_Trader, a software program used to trade stocks and futures, was used as the initial intrusion vector. The employee downloaded the software from the Trading Technologies website, which contained a backdoor exploit similar to the one found in 3CX’s desktop app, enabling malicious hackers to gain access to the employee’s computer and move laterally through 3CX’s network. The hackers then gained access to the Electron app’s Windows and Mac build environments, where they inserted the corrupted code.

Mandiant's update marks the first time the firm has seen one supply chain compromise used to execute another. The attack bears similarities to a previous incident in 2020 involving the Russian SVR-linked hacking group, which was seen "poking around in source code environments and build environments" in a way that indicated a similar interest in potentially chaining together software supply chain attacks to infect a broader pool of victims downstream. Mandiant has not yet provided an estimate of the number of customers affected by the attack on 3CX, which has more than 600,000 companies as clients, including American Express, BMW, Air France, Toyota, IKEA, and others.

Mandiant has tentatively attributed the attack to a North Korea-nexus group targeting cryptocurrency companies in previous campaigns. While Mandiant has not yet seen a downstream compromise that clearly indicates motive, it has assessed with "moderate confidence" that the activity is linked to the "AppleJeus" campaign, which targeted cryptocurrency exchanges and financial service companies in 32 countries, including the United States. These types of attacks underscore the growing sophistication of supply chain attacks and the importance of maintaining up-to-date software to avoid the risk of falling prey to such attacks. Chris Hickman, CSO, Keyfactor shared his insights on the attack: “In our software-driven world, trust is everything. To establish trust, developers and their organizations use a code signing certificate to prove the authenticity of a piece of software and guarantee that it comes from a legitimate source that hasn’t been tampered with. This in turn protects against attempts from third parties to alter any code, lets users know they can trust the software with their information, and creates a chain of trust for a smooth user experience. However, the assurance that code signing signature offers is only as strong as the security used to both issue and store that certificate.

A typical use case for a code signing certificate includes issuing software for installation publicly – like what happened in the case of 3CX. Hackers can get malicious code if they can get into a developer workstation that has open access to the code signing certificate. Once that happens, the hackers can simply submit their software for signature and release.

One of the most common challenges in protecting code signing certificates is a lack of visibility into and control over signing processes. Introducing technology that can centralize visibility and control to make it easy for the security team to audit everything when combined with using a secure storage mechanism like an HSM, can go a long way toward easing this challenge.” ###