Obsolete financial trading software led to 3CX vulnerability

A Mandiant investigation has found the breach of 3CX’s popular smartphone began when the vendor's staff installed compromised software from Trading Technologies.

The breach has also reached beyond 3CX, with Symantec claiming to have identified victims in the energy and financial sectors.

Mandiant said it’s the first time it has seen a chain of supply chain attacks, and pointed the finger at a “tampered installer for X_Trader, a software package provided by Trading Technologies”.

According to Trading Technologies, X_Trader was meant to be discontinued in 2020, in a phase-out that commenced in 2018.

However, Mandiant said it was still available for download in 2022.

“This file was signed with the subject ‘Trading Technologies International, Inc’ and contained the executable file Setup.exe that was also signed with the same digital certificate," Mandiant said.

"The code signing certificate used to digitally sign the malicious software was set to expire in October 2022."

The installation of the compromised software led to “a complex loading process and the deployment of VEILEDSIGNAL, a multi-stage modular backdoor, and its modules”, Mandiant said.

VEILEDSIGNAL implanted its backdoor, and downloaded an encrypted command and control (C2) module from GitHub.

The C2 installed itself on whichever of Chrome, Firefox or Edge it found first. It also set Windows to listen for incoming communications which it passed to its server.

Mandiant said that “the attacker was able to compromise both the Windows and macOS build environments.”

It reiterated its earlier suspicion that North Korean actors dubbed UNC4376 were behind the attack.

Symantec has since claimed the compromised version of X_Trader was installed by other organisations.

The company’s threat hunter team doesn’t name the victims, but said the compromised software had been found in a critical infrastructure companies in the energy sector, one in North America and one in Europe, as well as in two financial trading organisations.

“It appears likely that the X_Trader supply chain attack is financially motivated, since Trading Technologies, the developer of X_Trader, facilitates futures trading, including energy futures," Symantec said.

Regarding the compromise of critical infrastructure targets, Symantec said that “North Korean-sponsored actors are known to engage in both espionage and financially motivated attacks and it cannot be ruled out that strategically important organisations breached during a financial campaign are targeted for further exploitation.”