The North Korean 3CX software supply chain attack known as the X_Trader has affected two critical infrastructure organizations in the energy sector in the US and Europe, as well as two other organizations involved in financial trading, new data from Broadcom’s Symantec shows.
As per a previous report from cybersecurity firm Mandiant, the cause of the March 3CX breach was trojanized X_Trader platform developed by Trading Technologies, a company that provides software for professional traders.
Mandiant says it was the first time it has seen a software supply chain attack lead to another software supply chain attack. In this case, the attackers used their access to a Trading Technologies platform to gain access to 3CX’s network, where they then modified desktop apps in order to compromise the networks of 3CX’s customers and deploy the Veiledsignal multi-stage modular backdoor onto victims' systems. The company linked the attacks to a North Korean threat actor it tracks as UNC4736, believed to be a Lazarus sub-group dubbed Labyrinth Chollima.
“It appears likely that the X_Trader supply chain attack is financially motivated, since Trading Technologies, the developer of X_Trader, facilitates futures trading, including energy futures. Nevertheless, the compromise of critical infrastructure targets is a source of concern,” Symantec notes.
Symantec’s report does not name the organizations impacted in the hack, but provides additional Indicators of Compromise (IoCs) to help defenders identify this threat.
“The discovery that 3CX was breached by another, earlier supply chain attack made it highly likely that further organizations would be impacted by this campaign, which now transpires to be far more wide-ranging than originally believed. The attackers behind these breaches clearly have a successful template for software supply chain attacks and further, similar attacks cannot be ruled out,” the cybersecurity firm said.
