Supply chain attacks targeting 3CX and itinerary Two energy companies and two financial traders were also compromised, according to Symantec.
The security vendor explained the news in a blog post a day after Mandiant disclosed that the original 3CX supply chain attack was enabled by a previous compromise of futures trading software.
As reported by Information security, suspected North Korean threat actors trojanized the “X_Trader” software created by Trading Technologies. Once installed on a 3CX employee’s computer, the app provided the hackers with a backdoor into the company’s network.
However, Symantec claimed that the same Trojan also infected two critical infrastructure organizations in the energy sector. Additionally, two of his organizations operating in the financial trading sector were also compromised.
“X_Trader’s developer, Trading Technologies, facilitates futures trading, including energy futures, so the attack on the X_Trader supply chain is likely financially motivated,” the blog notes. increase.
“Nevertheless, compromising critical infrastructure targets is a cause for concern. North Korea-backed attackers are known to engage in both espionage and financially motivated attacks and have We cannot rule out the possibility that a strategically important organization compromised by a
For more information on the original 3CX attack, North Korean hackers use a trojanized 3CX DesktopApp in a supply chain attack.
According to Symantec, two malicious DLLs are sideloaded when the legitimate X_Trader executable is installed. The first ‘winscard.dll’ contains code to load and execute a payload from his second ‘msvcr100.dll’ which is a modular backdoor called ‘VeiledSignal’.
The security vendor claimed that the process of installing the final payload was nearly identical to the process used by the trojanized 3CX app. Extract the payload from the encrypted blob using two sideloaded DLLs.
“The discovery that 3CX was compromised in another previous supply chain attack makes it very likely that more organizations will be affected by this campaign,” Symantec said. It turned out to be much more widespread than originally thought.”
“The attackers behind these breaches clearly have a successful template for software supply chain attacks, and moreover, similar attacks cannot be ruled out.”
