Key Learnings:

Avoid using personal devices for work

Personal devices typically lack the same security features as corporate devices, which makes them more vulnerable to attacks. Using personal devices for work-related tasks may inadvertently expose your organization to risks associated with malware infections or unauthorized access.

Be aware of supply chain attacks

They are becoming increasingly common and can compromise the software running in your organization. As such, it’s critical to know the software operating within your organization and keep it updated to minimize potential vulnerabilities.

The 3CX supply chain compromise began with a tampered installer for X_TRADER software. It led to the deployment of a multi-stage modular backdoor called VEILEDSIGNAL. The malicious software was signed with a digital certificate set to expire in October 2022. Despite the X_TRADER platform being discontinued in 2020, it was still available for download from the legitimate Trading Technologies website in 2022.

Compromised X_TRADER and 3CX DesktopApp applications used the same techniques to extract and run the payload, demonstrating the increasing sophistication of supply chain attacks.

During the attack, the threat actor moved laterally within the 3CX organization using a compiled version of the publicly available Fast Reverse Proxy project. Eventually, the attacker compromised Windows and macOS build environments, deploying TAXHAUL launcher and COLDCAT downloader on Windows, and POOLRAT backdoor on macOS.

Conclusion

The 3CX supply chain compromise is a stark reminder of the growing threat of supply chain attacks and the importance of comprehensive cybersecurity measures. Organizations must stay vigilant, continuously update their software, and implement best practices to mitigate the risks of increasingly sophisticated cyber threats.