Days after the horrifying cyberattack, more details about the 3CX incident surface online as Mandiant discloses its investigations. As revealed, the cyber attack on 3CX systems linked back to another supply-chain attack on a separate firm.
3CX Cyber Attack Update: Mandiant Shares Its Investigations
After investigating the matter for weeks, the cybersecurity firm Mandiant has shared insights about what happened with 3CX.
As revealed in its post, its team could trace back the 3CX cyberattack’s link with another supply-chain attack that affected Trading Technologies Inc.
While the researchers have shared the detailed technical analysis of the malware, the incident timelines, and the attack flow in their post, here’s a quick review.
Specifically, 3CX caught the malware from a trojanized version of Trading Technologies’ software installer X_TRADER. Analyzing the malicious software made Mandiant discover the embedded VEILEDSIGNAL backdoor that executed the attack.
The modular backdoor executed the attack in steps, downloading malicious DLLs and other payloads. Alongside this backdoor, two other modules added to its functionality by providing C2 injection in the process and listening Windows communication.
The malware infiltrated the 3CX network through this Trading Technologies app, after which, the attackers spread laterally on the 3CX network. During this process, the attackers kept harvesting credentials and compromised Windows and macOS systems alike, deploying malicious DLLs and backdoors.
Tracing back this UNC4736 malware activity led the researchers to deduce a North Korean threat actor behind the attack.
Earlier this month, 3CX admitted suffering a terrible cyberattack on its network that also affected its customers. It turned out that the attackers exploited the firm’s app to roll out malicious updates to the customers.
At that time, 3CX confirmed hiring Mandiant for investigating the cyber attack, and now, the security firm has shared the update.
While 3CX became a potent indicator of Trading Technologies’ supply-chain attack, the researchers suspect that there may be some other victim firms. But they may or may not have noticed and reported the compromise on their networks yet.
Let us know your thoughts in the comments.