Security News
VoIP communications company 3CX warned customers today to disable SQL Database integrations because of risks posed by what it describes as a potential vulnerability. Although the security advisory released today lacks any specific information regarding the issue, it advises customers to take preventive measures by disabling their MongoDB, MsSQL, MySQL, and PostgreSQL database integrations.
Pieces of the 3CX supply chain compromise puzzle are starting to fall into place, though we're still far away from seeing the complete picture. 3CX engaged Mandiant to investigate how their own compromise happened, and they revealed last Thursday that one of 3CX employees downloaded the booby-trapped X TRADER installer, leading to the ultimate deployment of a modular backdoor on their system.
In Brief We thought it was probably the case when the news came out, but now it's been confirmed: The X Trader supply chain attack behind the 3CX compromise last month wasn't confined to the telco developer. For those unfamiliar with the incident, 3CX reported a supply chain attack that saw its 3CX DesktopApp compromised with a trojanized version of the X Trader futures trading app published by Trading Technologies.
Lazarus, the prolific North Korean hacking group behind the cascading supply chain attack targeting 3CX, also breached two critical infrastructure organizations in the power and energy sector and two other businesses involved in financial trading using the trojanized X TRADER application. The new findings, which come courtesy of Symantec's Threat Hunter Team, confirm earlier suspicions that the X TRADER application compromise affected more organizations than 3CX. The names of the organizations were not revealed.
The X Trader software supply chain attack that led to last month's 3CX breach has also impacted at least several critical infrastructure organizations in the United States and Europe, according to Symantec's Threat Hunter Team. While the Trading Technologies supply chain compromise is the result of a financially motivated campaign, the breach of multiple critical infrastructure organizations is worrisome, seeing that North Korean-backed hacking groups are also known for cyber espionage.
The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors. Google-owned Mandiant, which is tracking the attack event under the moniker UNC4736, said the incident marks the first time it has seen a "Software supply chain attack lead to another software supply chain attack."
The supply-chain attack against 3CX last month was caused by an earlier supply-chain compromise of a different software firm - Trading Technologies - according to Mandiant, whose consulting crew was hired by 3CX to help the VoIP biz investigate the intrusion. "This is the first time that we've ever found concrete evidence of a software supply chain attack leading to another software supply chain attack," Mandiant Consulting CTO Charles Carmakal told reporters on Wednesday.
An investigation into last month's 3CX supply chain attack discovered that it was caused by another supply chain compromise where suspected North Korean attackers breached the site of stock trading automation company Trading Technologies to push trojanized software builds. According to Mandiant, the cybersecurity firm that helped 3CX investigate the incident, the threat group used harvested credentials to move laterally through 3CX's network, eventually breaching both the Windows and macOS build environments.
3CX has released an interim report about Mandiant's findings related to the compromise the company suffered last month, which resulted in a supply chain attack targeting cryptocurrency companies. The attackers infected targeted 3CX systems with TAXHAUL malware, which decrypts and executes shellcode containee in a file with a name and location aimed to make it to blend into standard Windows installations.
The CEO of VoIP software provider 3CX has teased the imminent release of a security-focused upgrade to the company's progressive web application client. "Following our Security Incident we've decided to make an update focusing entirely on security," CEO Nick Galea wrote on Monday.