Cybercrime

Modified X_Trader software program led to compromise of two vital infrastructure targets, Symantec says

5 months ago 3 min read

Two vital infrastructure organizations within the power sector — one in america and one other in Europe — are among the many victims of a provide chain assault counting on modified monetary companies software program that has been implicated in a separate, second provide chain assault affecting the communications supplier 3CX, researchers with Symantec’s Risk Hunter Workforce mentioned Friday.

The unnamed vital infrastructure entities within the power sector — together with two different unnamed organizations concerned in monetary buying and selling — are the primary further victims to be recognized of the modified 2020 X_Trader software program installer utilized by what are believed to be hackers aligned with North Korea.

The hackers, whose main aim seems to be monetary acquire, carried out what Mandiant described Thursday as maybe the primary software program provide chain assault that led to a second software program provide chain assault, after they first compromised the X_Trader installer after which used that entry to hold out a provide chain assault that compromised a model of 3CX’s desktop app.

The power sector entities have been focused by the malicious X_Trader installer a while between September and October of 2022.

Despite the fact that the attackers look like financially motivated, “the compromise of vital infrastructure targets is a supply of concern,” the Symantec researchers mentioned. “North Korean-sponsored actors are identified to have interaction in each espionage and financially motivated assaults and it can’t be dominated out that strategically vital organizations breached throughout a monetary marketing campaign are focused for additional exploitation.”

The X_Trader software program was produced by Chicago-based Buying and selling Applied sciences as knowledgeable buying and selling instrument however decommissioned in April 2020. The software program was nonetheless obtainable for obtain from the corporate’s web site in early 2022 and was compromised in February 2022, Mandiant mentioned of their Thursday report.

3CX, a web-based communications and VoIP software program developer, employed Mandiant to analyze the assault on its software program installers after modified variations emerged in late March. Mandiant’s report discovered {that a} 3CX worker had downloaded one of many modified variations of the X_Trader installers. Information related to the malware suggests it was the work of North Korean-aligned hackers with a historical past of focusing on cryptocurrency entities and exchanges with a view to steal cash for the North Korean regime.

Officers at Mandiant who responded to the breach feared that it was solely a matter of time earlier than further victims of the North Korean operation. With Symantec’s Friday report, the overall variety of recognized victims comes to 6, however that quantity is more likely to rise.

“The invention that 3CX was breached by one other, earlier provide chain assault made it extremely probably that additional organizations could be impacted by this marketing campaign, which now transpires to be much more wide-ranging than initially believed,” Symantec’s researchers wrote Friday. “The attackers behind these breaches clearly have a profitable template for software program provide chain assaults and additional, comparable assaults can’t be dominated out.”