Mandiant: 3CX breach caused by second supply chain attack

The initial point of compromise in the highly publicized 3CX supply chain attack was allegedly a malicious version of a software package belonging to Trading Technologies International, according to Mandiant research published Thursday.

Unified communications provider 3CX originally confirmed on March 30 it was the victim of a supply chain attack. 3CX CISO Pierre Jourdan wrote in a blog post that several versions of the company's Electron Windows app were experiencing a security issue. The source of the supply chain attack was initially unclear, as CEO Nick Galea wrote at the time that the breach was caused by an "upstream library" that became infected.

Vendor research published in late March and early April noted that the central point of compromise was a file named "ffmpeg.dll," which referenced popular multimedia framework FFmpeg. Although some speculation suggested FFmpeg was the initial source of the supply chain attack, the framework's developers tweeted that this wasn't the case because FFmpeg provides only source code, not compiled binaries.

Threat intelligence firm and Google Cloud subsidiary Mandiant on Thursday published a blog post claiming that the original point of compromise was neither 3CX nor FFmpeg. Instead, the firm reported, it was a malware-infested version of "X_Trader," a defunct software package published by financial trading software vendor Trading Technologies.

"This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack," the blog post read.

The blog post said that while the X_Trader version the employee had was discontinued in 2020, "it was still available for download from the legitimate Trading Technologies website in 2022."

Mandiant Consulting CTO Charles Carmakal said in a press pre-briefing that the 3CX breach occurred because an employee at the company downloaded a tampered installer for X_Trader from the company's website, which ultimately "enabled the threat actor to compromise the employee's computer."

A spokesperson for Trading Technologies shared the following statement with TechTarget Editorial:

Given that this only came to our attention last week, we have not had the ability to verify the assertions in Mandiant's report. What we do know with certainty is that 3CX is not a vendor or a customer of Trading Technologies. There is no business relationship between the two companies. We have no idea why an employee of 3CX would have downloaded X_Trader. The X_Trader software referenced in Mandiant's report was a professional trading software package for institutional derivatives trading that was decommissioned in April 2020. Our clients received multiple communications over the 18-month sunset period notifying them that we would no longer support or service X_Trader beyond April 2020. There was no reason for anyone to download the software given that TT stopped hosting, supporting and servicing X_Trader after early 2020. We would also emphasize that this incident is completely unrelated to the current TT platform.

In a previous version of the statement, the spokesperson said, "What we do know with certainty is that this is not a supply chain attack." The updated version of the statement does not include that sentence.

The spokesperson told TechTarget Editorial that with respect to its current TT Platform and Trading Technologies' own internal systems, the company has seen no evidence of a breach. Regarding X_Trader, the spokesperson said, "We are in the midst of our investigation."

Given that this only came to our attention last week, we have not had the ability to verify the assertions in Mandiant's report.

Carmakal said in the pre-briefing that the firm contacted Trading Technologies on April 11 and that Mandiant did not assist Trading Technologies' investigation. He said that because X_Trader isn't generally available anymore, Mandiant isn't worried about new victims as much as it is potential pre-existing ones.

"We are concerned that there are likely victims from before that haven't yet discovered that they are a victim and will likely discover that they were compromised as we get this information out," Carmakal said.

Mandiant said 3CX was initially breached through its build server and that the threat actor used a publicly available fast reverse proxy to move within the victim network. The firm attributed both the 3CX breach and the alleged X_Trader compromise to a nation-state threat actor affiliated with North Korea categorized as UNC4736. Further technical details are available in the blog post.

3CX shared to its website on Thursday a seven-step "security action plan" that included enhancing network and build security as well as enhancing product security features. 3CX also published a blog post Thursday morning with similar content to Mandiant's investigation report.

A spokesperson for the vendor shared a statement with TechTarget Editorial credited to Galea. The CEO said the company's priority throughout the investigation has been transparency.

"As we wind down our incident investigation, 3CX has taken this opportunity to continue to strengthen our policies, practices and technology to further protect against future attacks," he said.

Alexander Culafi is a writer, journalist and podcaster based in Boston.