The X_Trader software supply chain attack that led to last month's 3CX breach has also impacted at least several critical infrastructure organizations in the United States and Europe, according to Symantec's Threat Hunter Team.
North Korean-backed threat group linked to the Trading Technologies and 3CX attacks used a trojanized installer for X_Trader software to deploy the VEILEDSIGNAL multi-stage modular backdoor onto victims' systems.
Once installed, the malware could execute malicious shellcode or inject a communication module into Chrome, Firefox, or Edge processes running on compromised systems.
"Initial investigation by Symantec's Threat Hunter Team has, to date, found that among the victims are two critical infrastructure organizations in the energy sector, one in the U.S. and the other in Europe," the company said in a report published today.
"In addition to this, two other organizations involved in financial trading were also breached."
While the Trading Technologies supply chain compromise is the result of a financially motivated campaign, the breach of multiple critical infrastructure organizations is worrisome, seeing that North Korean-backed hacking groups are also known for cyber espionage.
It's very likely that strategic organizations compromised as part of this supply chain attack will also be singled out for subsequent exploitation.
While Symantec didn't name the two energy sector organizations, Symantec Threat Hunter Team Director of Security Response Eric Chien told BleepingComputer that they are "power suppliers generating and supplying energy to the grid."
Wide-ranging supply chain attack
Having breached at least four more entities besides 3CX with the help of the trojanized X_Trader software, it's also highly likely that the North Korean hacking campaign already impacted additional victims yet to be discovered.
"The discovery that 3CX was breached by another, earlier supply chain attack made it highly likely that further organizations would be impacted by this campaign, which now transpires to be far more wide-ranging than originally believed," Symantec added.
"The attackers behind these breaches clearly have a successful template for software supply chain attacks and further, similar attacks cannot be ruled out."
On Thursday, Mandiant linked a North Korean threat group it tracks as UNC4736 to the cascading supply chain attack that hit VoIP company 3CX in March.
UNC4736 is related to the financially motivated North Korean-sponsored Lazarus Group behind Operation AppleJeus [1, 2, 3], previously linked by Google's Threat Analysis Group (TAG) to the compromise of Trading Technologies' website.
Based on attack infrastructure overlap, Mandiant also connected UNC4736 with two APT43 malicious activity clusters tracked as UNC3782 and UNC4469.
Comments
EndangeredPootisBird - 1 year ago
You'd think that out of anyone, critical infrastructure would have the best, state of the art security, but I guess the capitalist CEO's don't even wanna give them a big enough budget for proper security.
LIstrong - 1 year ago
But they do. 3CX is a VoIP based in Cyprus. It’s nonsensical and also illegal for the US critical infrastructure to use an offshore VoIP vendor. Did critical infrastructure MSP’s with access to their networks use this vendor? If so, these 3rd parties should be named so that the critical infrastructure can debar them. Naming a vendor American companies do not engage directly helps no one.
EndangeredPootisBird - 1 year ago
I never called them american, and by "capitalists" I mean the money-hogging people at the top who don't care enough to spend money on security, as breaches don't impact them financially whatsoever.
Companies never learn from the mistakes of others, years of cyberattacks and breaches and yet the most common attack vectors are the ones that are easiest and cheapest to prevent.
LIstrong - 1 year ago
The article says American. But I doubt major European countries critical infrastructure would use a Cyprus based VoIP either. They are also located in Russia.
LIstrong - 1 year ago
X_Trader software doesn’t even exist. What’s the real story?
LIstrong - 1 year ago
This sounds like solarwinds, msoft and FireEye redux. FireEye is now Mandiant. FireEye red team tools were stolen in 2019 and that somehow was related to a bad SolarWinds password that resulted in msoft SAML attacks. Lots of breaches aren’t really breaches. They’re often rogue insiders or even vendors getting caught with their hands in the cookie jar, selling customer data out the back door. There’s a huge amount of corp espionage too. But why would a tech vendor gaslight and blame a hack on other vendors? If tech vendors point fingers elsewhere then customers, Wall St and gov won’t punish them. Read Bill Gates 1996 “Content is King” essay. He predicted that whoever controls all of the data wins. Is that what is happening here, irrespective of the cost to society?
If it’s true that Linux and Macs are compromised and LI was involved the best thing to do is blacklist LI from both personal BYOD, home devices and Azure LI Connector. This has long been common SOP in some security conscious sectors. It may involve reconfig Azure and machines. But never allow access to webmail and social media on the same device. There’s no way to do that safely. Apps are designed to leak.
Ransomware is destroying the USA. Businesses, institutions and municipalities cannot sustain this.
DHS just announced a 60 day sprint focused on studying how investing in AI could help the U.S. beat China. And if there is an attack on the power grid then I bet DHS can scare Congress into authorizing $100’s of billions to Big Tech’s AI to make us safe. But AI is not real. It’s programmed algorithms. And if DHS would ask the VA who just shut down a software project after spending $10B because 1000’s of patients were hurt and the software was expected to take 30 years to deploy and $51B.
It doesn’t take AI for the Gov to battle ransomware. Just will. Why hasn’t anyone tried to stop it?
If Congress approves AI projects then Big Tech gets to continue hoovering up all corporate and consumer data worldwide - causing more and more vulnerabilities. No amount of cybersecurity can protect against this.
DHS was created after 9/11 to ensure that another major attack on US soil never took place. So I hope this threat against the grid is just a joke.