3CX Hackers Also Compromised Critical Infrastructure Firms
A supply chain attack which targeted 3CX en route to its customers also compromised two energy firms and two financial traders, according to Symantec.
The security vendor explained the news in a blog post the day after Mandiant revealed that the original 3CX supply chain attack was enabled by a previous compromise of futures trading software.
As reported by Infosecurity, suspected North Korean threat actors trojanized the “X_Trader” software produced by Trading Technologies. Once installed on the computer of a 3CX employee, that app subsequently provided the hackers with a backdoor into the firm’s network.
However, Symantec claimed that the same Trojan also infected two critical infrastructure organizations in the energy sector – one in the US and one based in Europe. A further pair of organizations working in the financial trading sector were also breached, it said.
“It appears likely that the X_Trader supply chain attack is financially motivated, since Trading Technologies, the developer of X_Trader, facilitates futures trading, including energy futures,” the blog noted.
“Nevertheless, the compromise of critical infrastructure targets is a source of concern. North Korean-sponsored actors are known to engage in both espionage and financially motivated attacks and it cannot be ruled out that strategically important organizations breached during a financial campaign are targeted for further exploitation.”
Symantec said that once the legitimate X_Trader executable is installed, it side-loads two malicious DLLs. The first, “winscard.dll,” contains code to load and execute a payload from the second, “msvcr100.dll,” which is a modular backdoor called “VeiledSignal.”
The security vendor claimed that the process for installing the final payload is almost the same as that used with the Trojanized 3CX app: two side-loaded DLLs being used to extract a payload from an encrypted blob.
“The discovery that 3CX was breached by another, earlier supply chain attack made it highly likely that further organizations would be impacted by this…
