Hackers behind 3CX breach also breached US critical infrastructure

The hacking group responsible for the supply-chain attack targeting VoIP company 3CX also breached two critical infrastructure organizations in the energy sector and two financial trading organizations using the trojanized X_TRADER application, according to a report by Symantec. 

Among the two affected critical infrastructure organizations, one is located in the US while the other is in Europe, Symantec told Bleeping Computer. 

The report of other organizations also being breached comes a day after Mandiant revealed that trojanized X_TRADER application was the cause of the 3CX breach. 

“The attackers behind these breaches clearly have a successful template for software supply chain attacks and further similar attacks cannot be ruled out,” Symantec said in its report.

Last month, several security researchers reported that the 3CX Desktop App had malware in it. The company confirmed the same and released an update for the Desktop App.

Attacks attributed to Lazarus group 

Based on the methodology, Mandiant has attributed the attacks to the North Korean hacking group Lazarus. Symantec too agrees that the attackers appear to be linked to North Korea.

“It appears likely that the X_Trader (X_TRADER) supply chain attack is financially motivated, since Trading Technologies, the developer of X_Trader (X_TRADER), facilitates futures trading, including energy futures,” Symantec said in the report, adding that North Korea-sponsored actors are known to engage in both espionage and financially-motivated attacks.

“It cannot be ruled out that strategically important organizations breached during a financial campaign are targeted for further exploitation,” Symantec said.

Initiated by prior supply chain compromise 

The 3CX supply chain compromise attack was carried out as hackers gained access to the company’s network and systems as a result of a different software supply chain attack involving a third-party application for futures trading, according to Mandiant. 

The hackers gained access to 3CX’s network after one of the company’s employees installed a futures trading platform called X_TRADER from Trading Technologies on their personal computer in 2022. 

This software had been trojanized with a backdoor as a part of a different software supply chain attack. The X_TRADER software was discontinued in 2020 but was still available for download from the company’s website in 2022.

This is the first supply chain compromise attack, which has led to a cascading software supply chain compromise, Mandiant said in the report. The attackers were able to gain lateral movement into 3CX’s network and inject malicious libraries into the Windows and MacOS versions of the Desktop App. 

Trojanized version deployed malware downloader and info stealer

The trojanized version of the 3CX Desktop App first deployed an intermediate malware downloader that reached out to a GitHub repository to obtain command-and-control addresses hidden inside icon files, Mandiant said in its report. 

The downloader then contacts the common-and-control server and deploys an information stealer that collects application configuration data as well as browser history. Mandiant had been contracted by 3CX to investigate the incident.