Security News > 2023 > April > 3CX breach linked to previous supply chain compromise

Pieces of the 3CX supply chain compromise puzzle are starting to fall into place, though we're still far away from seeing the complete picture.

3CX engaged Mandiant to investigate how their own compromise happened, and they revealed last Thursday that one of 3CX employees downloaded the booby-trapped X TRADER installer, leading to the ultimate deployment of a modular backdoor on their system.

"The identified software supply chain compromise is the first we are aware of which has led to a cascading software supply chain compromise," they added.

Almost simultaneously, ESET researchers published a report about the Lazarus APT targeting Linux users with fake job offers and a Linux backdoor, and further linked the group to the 3CX supply chain attack based on similarities between used malware and shared infrastructure.

"The stealthiness of a supply chain attack makes very appealing from an attacker's perspective. Lazarus has already used this technique in the past, targeting South Korean users of WIZVERA VeraPort software in 2020. Similarities with existing malware from the Lazarus toolset and with the group's typical techniques strongly suggest the recent 3CX compromise is the work of Lazarus as well," they noted.

"It appears likely that the X Trader supply chain attack is financially motivated, since Trading Technologies, the developer of X Trader, facilitates futures trading, including energy futures. Nevertheless, the compromise of critical infrastructure targets is a source of concern. North Korean-sponsored actors are known to engage in both espionage and financially motivated attacks and it cannot be ruled out that strategically important organizations breached during a financial campaign are targeted for further exploitation," they pointed out.

News URL

https://www.helpnetsecurity.com/2023/04/24/3cx-supply-chain-compromise/