Cybersecurity company Mandiant reportedwhich found Client Zero, the original source of a hack that hacked 3CX’s VoIP telephony application and affected most of its 600,000 customers.
According to the company, the attack on the 3CX employee’s computer was enabled by an earlier attack on the software supply chain, carried out by hackers who compromised 3CX computer networks and infected financial software developer Trading Technologies’ application.
The hackers managed to plant a backdoor into Trading Technologies’ X_Trader application which, once installed on a 3CX employee’s computer, allowed the hackers to access the 3CX server used for software development, the 3CX damaging the installation application and infecting the computers of the company’s customers. The hacking group that did this, known as Kimsuky, Emerald Sleet (or Velvet Chollima), is believed to be working for the North Korean government.
“This is the first time we have found concrete evidence that an attack on a software supply chain led to another attack on a software supply chain.” — said Charles Carmakal (Charles Carmakal), technical director of Mandiant Consulting.
Trading Technologies ended support for X_Trader in 2020, although the app remained available for download until 2022. Mandiant believes, based on the digital signature of the X_Trader program, that the Trading Technologies supply chain compromise occurred prior to November 2021, while the subsequent 3CX supply chain attack occurred earlier this year.
A Trading Technologies spokesperson told WIRED that the company has been warning users for 18 months that X_Trader will no longer be supported as of 2020. He pointed out that X_Trader is a tool for trading professionals, so it’s not clear how the application ended up on a 3CX employee’s computer. The representative added that 3CX is not a Trading Technologies customer and that the compromise of the X_Trader application will not affect the existing software in any way.
The purpose of the hacking is not yet clear. Mandiant acknowledges that this is partly due to cryptocurrency theft. Formerly Kaspersky Lab informedthat among the affected customers of 3CX were companies related to cryptocurrencies.
But Karmakal believes this may just be the tip of the iceberg given the scale of supply chain hacking. “I think over time we will hear of many more casualties as it is associated with either of these two software supply chain attacks.” he defined.