Prominent cyberattack investigator Mandiant disclosed findings that suggest the 3CX supply chain compromise had an unprecedented cause: a prior software supply chain attack. The compromise in March of 3CX, a widely used communications software maker, has resembled some of the biggest cyberattacks to date, including the SolarWinds supply chain attack of 2020.
However, it now appears that the 3CX attack stands out even from the SolarWinds compromise, at least in one major respect. Mandiant said the 3CX campaign was made possible by an earlier supply chain attack, which had tampered with a software package distributed by a financial software firm, Trading Technologies. “This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,” the incident response and threat intelligence firm, owned by Google Cloud, said in the post.
According to the Mandiant findings, 3CX was compromised after one of its employees downloaded Trading Technologies’ “X_TRADER” software in April of 2022. The installer for the software had been tampered with by a malicious actor, Mandiant said. 3CX, which had hired Mandiant to assist with the investigation, specified in its own post Thursday that the employee installed the tainted software on their personal computer. After the installation of the malicious software, “Mandiant determined that a complex loading process led to the deployment of VEILEDSIGNAL, a multi-stage modular backdoor, and its modules,” the firm said.
3CX, whose communications software includes the VoIP phone system app targeted in the attack, has said that its customer base totals more than 600,000 organizations, with sales exclusively through its network of 25,000 partners. Major customers listed by 3CX include American Express, McDonald’s, Coca-Cola, NHS, Toyota, BMW and Honda.
CrowdStrike previously attributed the 3CX compromise to a North Korea-affiliated group that it calls Labyrinth Chollima, and 3CX had subsequently shared that Mandiant was attributing the attack to North Korea. Mandiant pinned the attack on UNC4736, which the firm called “a suspected North Korean nexus cluster of activity.” Nick Galea, founder and CEO of 3CX, said in a post Thursday that the company is committing to a seven-step program to “harden our systems and minimize our risk of future attacks,” in the wake of the “first-of-a-kind, cascading software-in-software supply chain attack.”
Galea previously disclosed that it’s probable hundreds of thousands of customers did actually download the malicious version of the vendor’s VoIP phone system software. However, researchers have noted that the 3CX compromise was caught in weeks rather than months — as had been the case with the SolarWinds supply chain breach — which appears to have limited the impact from the attack on 3CX and its end customers.
Developing a coherent “user experience” (UX) for passkeys across different operating systems and web services is an ongoing challenge, though. If you, say, log into your Google account from a Mac using traditional passwords, your credentials still get checked against what Google has on file for your account on one of the company’s servers. But the security and phishing-resistant benefits of passkeys come from the fact that they work differently. If you use a passkey to log into your Google account from a Mac, the cryptographic check happens locally, Apple is never directly involved, but everything the user experiences during the interaction is facilitated by macOS, not Google.
“If I’m Google implementing passkeys, I cede a lot of control to Apple if my user is on an Apple device, I cede a lot of control to Microsoft if the user is on a Windows device, I cede a lot of UX control to Android and browsers,” Brand says. “So I think we’re in the technology infancy, where all of these different platforms have come up with different UX patterns and UX paradigms. Stitching all of that together is kind of tricky, and that’s probably going to take another nine to 12 months for the industry to support.”
Another big challenge with establishing consistency and continuity will be the long transition to passkeys alone. For the foreseeable future, services must continue to support username and password logins and make sure those systems are as secure and up-to-date as possible while primarily supporting the growth and evolution of passkeys. As password login systems fade from prominence and are neglected, they could produce new types of security exposures in their disrepair. For now, though, the tech industry is still in the early stages of this long haul transition.
“Part of the problem is that all the stuff that I have in my presentation, we haven’t really seen this put into practice yet,” Brand says. “There are passkey implementations out there, and some folks have dipped their toe in the water, but a lot of the stuff isn’t really in the mainstream consciousness of developers, and certainly not for users. The mass, super-scale adoption is still something that we’re working to make happen.”
Go to Source
Author: Lily Hay Newman
