Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

3CX video conferencing supply chain attack more complex than first thought

Last month a popular desktop video conferencing app was found to be hiding a trojan that could install a malicious backdoor into compromised systems.

user icon David Hollingworth
Fri, 21 Apr 2023
3CX video conferencing supply chain attack more complex than first thought
expand image

But it seems that that incident was just the second stage of a remarkable and quite possibly unique two-tier supply chain attack.

At the time, 3CX, the developers of the Electron video app, thought that someone had targeted them directly — most likely a state-sponsored actor. In fact, according to Kaspersky, it was the North Korean Lazarus group.

“The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via Git,” said Pierre Jourdan, 3CX’s chief information security officer, at the time.

============
============

But researchers at Mandiant, hired by 3CX to investigate the incident, have found that 3CX’s software was compromised by another, prior supply chain attack. Someone at 3CX had downloaded an apparently legitimate app from trading software provider Trading Technologies — an app that was itself compromised.

The software in question is called X_TRADER, and though the app has been discontinued, it is still available on Trading Technologies’ website. The Lazarus group had already compromised that software and had infected a range of victims — getting its backdoor installed on the machine of a software developer was likely just a matter of luck.

But once inside 3CX’s systems, the threat actor was able to steal an employee’s credentials, which, in turn, gave the threat actors access to 3CX’s own build environment.

“If you were starting from scratch and trying to intentionally target a company like 3CX, you would not go to Trading Technologies as an initial attack vector,” Marius Fodoreanu, Mandiant’s lead investigator on the incident, told Dark Reading.

“But once they figured out that they had access to a company that likely has a lot of customers, they decided to continue to move forward and compromise the environment and then compromise the software.”

A spokesperson for Trading Technologies has said there is no business relationship between them and 3CX, meaning it is possible that the download was for the personal use of someone within 3CX.

Mandiant has pointed out that investigating the initial breach of Trading Technologies’ systems, but that there are likely many other victims of that initial supply chain attack, as well as those affected by 3CX’s compromised software.

“The identified software supply chain compromise is the first we are aware of which has led to a cascading software supply chain compromise,” Mandiant said in a blog post.

“It shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions as demonstrated in this investigation.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.