Summary:
“Mandiant investigators hired by 3CX now say the source of the infection was a decommissioned but still downloadable trading software package called X_Trader, made by Chicago-based Trading Technologies. A 3CX employee downloaded the trading package, said Charles Carmakal, Mandiant chief technology officer, during a Wednesday afternoon press briefing. "We've never seen a software supply chain attack lead to another software supply chain attack," he said. Chaining two software supply chain attacks represents a new level of sophistication for North Korean hackers. Although the 3CX supply chain attack was likely opportunistic - attackers had no reason to believe X_Trader would lead them to 3CX - the sequence of attacks "shows an increase in cyber offense capability by North Korean threat actors," Carmakal said. 3CX CEO Nick Galea said the company has taken steps to ensure a repeat of the incident can't reoccur. "Our priority throughout this incident has been transparency around what we know as well as the actions we've taken," he said. A Trading Technologies spokesperson said the company has not had time to verify Mandiant's conclusions. "We have no idea why an employee of 3CX would have downloaded X_Trader," the spokesperson said in a prepared statement. The trading package was intended for institutional derivatives trading and was decommissioned in April 2020. Mandiant believes that North Korean hackers penetrated Trading Technologies in 2022. The application is no longer available for download. "We would also emphasize that this incident is completely unrelated to the current TT platform," the spokesperson said. The availability of X_Trader on the Trading Technologies website past its official expiration means "there are very likely other victims out there that don't yet know they're compromised," said Carmakal” (BankInfoSec, 2023).

Analyst comments:
The North Korean threat group responsible for both supply chain attacks, tracked as UNC4736, likely is related to financially motivated Pyongyang hacking activity identified as AppleJeus, Mandiant said. "These folks are highly resourced, and they are after money, so it shows where North Korea is putting their best cyber teams is really on the financially motivated stuff," said Ben Read, Mandiant director of cyberespionage analysis. The X_Trader version downloaded by the 3CX employee came loaded with backdoor malware Google-owned Mandiant dubs "VeiledSignal." The trading software appeared legitimate since the file and its installer were signed with a digital certificate that has since expired. The compromised X-Trader and 3CX desktop applications contained, extracted and ran backdoor payloads in the same way. VeiledSignal contains three components: the main backdoor, an injector module and a communications model, Mandiant said. The malware used the Trading Technologies website as command and control. Google's Threat Analysis Group in March 2022 included the Trading Technologies website in a list of websites compromised by North Korean hackers using a zero-day in the Chrome browser. Google attributed the compromise to AppleJeus” (BankInfoSec, 2023).

Mitigation:
This document provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the National Institute of Standards and Technology (NIST) Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks:

https://www.cisa.gov/sites/default/...ainst_software_supply_chain_attacks_508_1.pdf

Source:
https://www.bankinfosecurity.com/no...ained-supply-chain-hacks-to-reach-3cx-a-21714 https://www.cisa.gov/sites/default/...ainst_software_supply_chain_attacks_508_1.pdf