Desktop phone developer 3CX’s supply chain attack was the result of a previously unknown attack on a financial trading software maker by North Korean hackers, according to Mandiant’s forensic team.
Chicago-based Trading Technologies’ software, X_Trader, was decommissioned but still available for download, and it was downloaded by a 3CX employee who unwittingly introduced backdoor malware, VeiledSignal, into 3CX’s source code.
The infiltration was likely opportunistic, but the sequence of attacks “shows an increase in cyber offense capability by North Korean threat actors,” said Charles Carmakal, Mandiant’s CTO. The hackers responsible, tracked as UNC4736, are believed to be related to financially motivated Pyongyang hacking activity identified as AppleJeus.
Although 3CX has taken steps to prevent a recurrence, the availability of X_Trader on the Trading Technologies website past its official expiration means other victims are probably compromised. The malware used the Trading Technologies website as command and control.
VeiledSignal contains three components: the main backdoor, an injector module, and a communications model, according to Mandiant. The attack on 3CX is significant because it’s the first time one supply chain attack has led to another, Carmakal said.
North Korea is known for state-sponsored hacking for financial gain. The totalitarian regime has long underwritten criminal activity in a quest for hard currency, which it uses to fund the development of weapons of mass destruction.
The 3CX infiltration is part of a trend where North Korean hackers are increasingly focused on financially motivated attacks, said Ben Read, Mandiant’s director of cyberespionage analysis.
While Trading Technologies has not yet verified Mandiant’s conclusions, it’s noteworthy that the application is no longer available for download, and that this incident is entirely unrelated to its current TT platform.
