Security Update Thursday 20 April 2023 – Initial Intrusion Vector Found
Posted on April 20th, 2023 by Agathocles Prodromou, CNO, 3CX
Mandiant identifies the source of internal network compromise
While Mandiant’s investigation is still ongoing, we now have a clear overall understanding of the attack. Following our previous update, we would like to share some additional technical details to support our customers and the community. We have also published additional indicators of compromise that organizations can leverage for their network defenses.
Initial Intrusion Vector
Mandiant identified the source of our internal network compromise began in 2022 when an employee installed the Trading Technologies X_TRADER software on the employee’s personal computer. Although the X_TRADER installation software was downloaded from the Trading Technologies website, it contained VEILEDSIGNAL malware, which enabled the threat actor (identified as UNC4736) to initially compromise and maintain persistence on the employee’s personal computer.
The X_TRADER installer (X_TRADER_r7.17.90p608.exe) was digitally signed by a valid code signing certificate with the subject of “Trading Technologies International, Inc”. It was hosted on hxxps://download.tradingtechnologies[.]com. While the X_TRADER software was reportedly retired in 2020 by Trading Technologies, the software was still available for download on the Trading Technologies website in 2022. The code signing certificate used to digitally sign the malicious software was set to expire in October 2022.
For more technical detail on the X_TRADER software supply chain attack, including YARA Rules for hunting, please read Mandiant’s blog at https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise.
Following the initial compromise of the employee’s personal computer using VEILEDSIGNAL malware, Mandiant assesses the threat actor stole the employee's 3CX corporate credentials from his system. VEILEDSIGNAL is a fully-featured malware that provided the threat actor with administrator-level access and persistence to the compromised system. The earliest evidence of compromise uncovered within the 3CX corporate environment occurred through the VPN using the employee's corporate credentials two days after the employee's personal computer was compromised.
Additionally, Mandiant identified the use of the Fast Reverse Proxy tool (https://github.com/fatedier/frp) which the threat actor used to move laterally within the 3CX environment. The tool was named MsMpEng.exe and located in the C:\Windows\System32 directory.
CI/CD Build Environment Compromise
Mandiant’s investigation was able to reconstruct the threat actor’s steps through our environment as they harvested credentials and moved laterally. Eventually, the threat actor was able to compromise both the Windows and macOS build environments. On the Windows build environment, the attacker deployed the TAXHAUL launcher and COLDCAT downloader which persisted by performing DLL hijacking for the IKEEXT service and ran with LocalSystem privileges. The macOS build server was compromised using a POOLRAT backdoor using LaunchDaemons as a persistence mechanism.
Based on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far, they attribute the activity to a threat actor cluster named UNC4736. Mandiant assesses with high confidence that UNC4736 has a North Korean nexus.
Indicators of Compromise
Code signing certificate serial #
Command and Control
Mandiant identified that malware within the 3CX environment made use of the following additional command and control infrastructure. www.tradingtechnologies[.]com/trading/order-management
Our priority throughout this incident has been transparency around what we know as well as the actions we’ve taken.
As we wind down our incident investigation, 3CX has taken this opportunity to continue to strengthen our policies, practices, and technology to further protect against future attacks. With that, we’re announcing a 7 Step Security Action Plan. In this plan, we’re committing to actionable steps to harden our defenses. You can read in more detail here.