cyber security industry There has been a scramble in recent weeks to understand the origins and fallout of the breach at 3CX, a VoIP provider whose software was corrupted by hackers linked to North Korea in a supply chain attack that potentially killed hundreds of thousands of its customers. Eliminated malware. Cyber security firm Mandiant now has an answer to the mystery of how 3CX was penetrated by those state-sponsored hackers: The company was one of an untold number of victims infected with its corrupted software. one more company—a rare, or perhaps unprecedented, example of how a group of hackers used a software supply chain attack to outwit each other. Call it a supply-chain reaction.
Today, Mandiant revealed that patient zero was found to be responsible for the widespread hacking operation that affected a significant fraction of 3CX’s 600,000 customers. According to Mandiant, a 3CX employee’s PC was hacked through an earlier software-supply-chain attack that hijacked an application from financial software firm Trading Technologies, operated by the same hackers, Who had tied up with 3CX. The hacker group known as Kimsuki, Emerald Sleet or Velvet Chollima is widely believed to be operating on behalf of the North Korean regime.
Mandiant says the hackers somehow managed to insert backdoor code into an application available on Trading Technology’s website, known as X_Trader. That infected app, when it was later installed on a 3CX employee’s computer, allowed the hackers to spread their reach through 3CX’s network, access 3CX servers used for software development, and install the 3CX installer application. Contaminate, and infect a wide swath. According to Mandiant, its customers.
“This is the first time we have solid evidence of a software-supply-chain attack causing another software-supply-chain attack,” says Charles Carmichael, chief technology officer at Mandiant Consulting. “So it’s huge, and very important to us.”
Mandiant says it was not hired by Trading Technologies to investigate the original attack that exploited its X_Trader software, so it does not know how the hackers altered Trading Technologies’ application or how many victims—3CX Apart from – can be. Compromise of that trading app. The company noted that Trading Technologies stopped supporting X_Trader in 2020, although the application was still available for download until 2022. Mandiant believes the Trading Technologies supply chain compromise occurred before November 2021, based on a digital signature on the infected X_Trader malware. But the 3CX follow-on supply chain attack didn’t happen until earlier this year.
A spokesperson for Trading Technologies told WIRED that the company warned users for 18 months that X_Trader would no longer be supported in 2020, and that given that X_Trader is a tool for trading professionals, there is no reason not to. It must be installed on 3CX. Machine. The spokesperson added that 3CX was not a customer of Trading Technologies, and any compromise of the X_Trader application does not affect its current software. 3CX did not respond to WIRED’s request for comment.
What the North Korean hackers wanted to accomplish with their interconnected software-supply-chain attacks is still not entirely clear, but it appears to have been motivated by simple theft. Two weeks ago, cybersecurity firm Kaspersky revealed that at least a handful of victims targeted with the corrupted 3CX application were cryptocurrency-related companies based in “Western Asia,” though it declined to name them. done. Kaspersky found that, as is often the case with large-scale software supply chain attacks, the hackers had sifted through their potential victims and found one piece of second-stage malware in only a few of those hundreds of thousands of compromised networks. Scaled down to a tiny fraction, they target “surgical precision.”
