The recent security incident at 3CX was caused by a supply chain attack on automated exchange software specialist Trading Technologies, according to further research by Mandiant. North Korean hackers from the Lazarus Group are believed to have gained access to the Trading Technologies website, allowing them to manipulate the vendor’s software and push trojans to other victims. It is likely that other parties have been affected by this supply chain attack, in addition to 3CX, Techcrunch reports.
The malicious installer for the X_TRADER software, distributed by the mainly financially oriented cyber criminals, deploys the multi-stage modular backdoor VEILEDSIGNAL. This backdoor is capable of executing shell code, injecting a communication module into browser processes within Chrome, Firefox, and Edge, and uninstalling itself.
Mandiant has more information about the hack at VoIP and communications specialist 3CX. TAXHAUL (AKA “TxRLoader”) malware was used to “harvest” credentials in order to move laterally within the 3CX network, leading to the compromise of the macOS and Windows build environments.
3CX advises customers to completely remove the Electron client from their networks and use the improved progressive web application (PWA) Web Client App instead. This app has the same features as the Electron client and is more secure. For more information, see 3CX’s article on enforcing PWA client update after the security incident.
