3CX Hackers Also Compromised Critical Infrastructure Firms

Written by

A supply chain attack which targeted 3CX en route to its customers also compromised two energy firms and two financial traders, according to Symantec.

The security vendor explained the news in a blog post the day after Mandiant revealed that the original 3CX supply chain attack was enabled by a previous compromise of futures trading software.

As reported by Infosecurity, suspected North Korean threat actors trojanized the “X_Trader” software produced by Trading Technologies. Once installed on the computer of a 3CX employee, that app subsequently provided the hackers with a backdoor into the firm’s network.

However, Symantec claimed that the same Trojan also infected two critical infrastructure organizations in the energy sector – one in the US and one based in Europe. A further pair of organizations working in the financial trading sector were also breached, it said.

“It appears likely that the X_Trader supply chain attack is financially motivated, since Trading Technologies, the developer of X_Trader, facilitates futures trading, including energy futures,” the blog noted.

“Nevertheless, the compromise of critical infrastructure targets is a source of concern. North Korean-sponsored actors are known to engage in both espionage and financially motivated attacks and it cannot be ruled out that strategically important organizations breached during a financial campaign are targeted for further exploitation.”

Read more on the original 3CX attack: North Korean Hackers Use Trojanized 3CX DesktopApp in Supply Chain Attacks.

Symantec said that once the legitimate X_Trader executable is installed, it side-loads two malicious DLLs. The first, “winscard.dll,” contains code to load and execute a payload from the second, “msvcr100.dll,” which is a modular backdoor called “VeiledSignal.”

The security vendor claimed that the process for installing the final payload is almost the same as that used with the Trojanized 3CX app: two side-loaded DLLs being used to extract a payload from an encrypted blob.

“The discovery that 3CX was breached by another, earlier supply chain attack made it highly likely that further organizations would be impacted by this campaign, which now transpires to be far more wide-ranging than originally believed,” Symantec concluded.

“The attackers behind these breaches clearly have a successful template for software supply chain attacks and further, similar attacks cannot be ruled out.”

What’s hot on Infosecurity Magazine?