The attackers have been linked to North Korea and appear to be involved in cyberespionage and financially motivated attacks. Credit: Thinkstock The hacking group responsible for the supply-chain attack targeting VoIP company 3CX also breached two critical infrastructure organizations in the energy sector and two financial trading organizations using the trojanized X_TRADER application, according to a report by Symantec. Among the two affected critical infrastructure organizations, one is located in the US while the other is in Europe, Symantec told Bleeping Computer. The report of other organizations also being breached comes a day after Mandiant revealed that trojanized X_TRADER application was the cause of the 3CX breach. “The attackers behind these breaches clearly have a successful template for software supply chain attacks and further similar attacks cannot be ruled out,” Symantec said in its report. Last month, several security researchers reported that the 3CX Desktop App had malware in it. The company confirmed the same and released an update for the Desktop App.Attacks attributed to Lazarus group Based on the methodology, Mandiant has attributed the attacks to the North Korean hacking group Lazarus. Symantec too agrees that the attackers appear to be linked to North Korea. “It appears likely that the X_Trader (X_TRADER) supply chain attack is financially motivated, since Trading Technologies, the developer of X_Trader (X_TRADER), facilitates futures trading, including energy futures,” Symantec said in the report, adding that North Korea-sponsored actors are known to engage in both espionage and financially-motivated attacks.“It cannot be ruled out that strategically important organizations breached during a financial campaign are targeted for further exploitation,” Symantec said.Initiated by prior supply chain compromise The 3CX supply chain compromise attack was carried out as hackers gained access to the company’s network and systems as a result of a different software supply chain attack involving a third-party application for futures trading, according to Mandiant. The hackers gained access to 3CX’s network after one of the company’s employees installed a futures trading platform called X_TRADER from Trading Technologies on their personal computer in 2022. This software had been trojanized with a backdoor as a part of a different software supply chain attack. The X_TRADER software was discontinued in 2020 but was still available for download from the company’s website in 2022.This is the first supply chain compromise attack, which has led to a cascading software supply chain compromise, Mandiant said in the report. The attackers were able to gain lateral movement into 3CX’s network and inject malicious libraries into the Windows and MacOS versions of the Desktop App. Trojanized version deployed malware downloader and info stealerThe trojanized version of the 3CX Desktop App first deployed an intermediate malware downloader that reached out to a GitHub repository to obtain command-and-control addresses hidden inside icon files, Mandiant said in its report. The downloader then contacts the common-and-control server and deploys an information stealer that collects application configuration data as well as browser history. Mandiant had been contracted by 3CX to investigate the incident. Related content news Spam blocklist SORBS shuts down after over two decades The service was unsustainable but those in the email deliverability industry expressed mixed feelings about the closure. By Evan Schuman Jun 07, 2024 4 mins Email Security Antispam news analysis New RansomHub ransomware gang has ties to older Knight group File encryption malware used by RansomHub appears to be a modified variant of the Knight ransomware, also known as Cyclops. By Lucian Constantin Jun 07, 2024 4 mins Hacker Groups Ransomware Hacking feature Whitelisting explained: How it works and where it fits in a security program Whitelisting locks down computers so only approved applications can run. Is the security worth the administrative hassle? By Josh Fruhlinger and CSO Staff Jun 07, 2024 10 mins Email Security Application Security Data and Information Security interview How Amazon CISO Amy Herzog responds to cybersecurity challenges Amazon CISO for devices and advertising products and services describes how her team works with product and devops teams to ensure products are cybersecure. By David Strom Jun 07, 2024 5 mins Security Practices Vulnerabilities Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe