The 3CX cyberattack hit two critical infrastructure organizations in Europe and the US. Symantec’s Threat Hunter team discovered this after research. These are organizations that are active in the energy sector. In addition, two organizations in the financial sector have also been hacked.
All attacks were carried out using a compromised version of the X_Trader financial software. If victims run the Setup.exe, the attackers, who Symantec says are affiliated with North Korea, can install a modular backdoor into the victims’ systems. This allows the malware to execute malicious shell code or place a communication module in Chrome, Firefox and Edge browsers, explains Symantec. Because the developer of the X_Trader software enables futures trading, including energy futures, Symantec believes the attack has a financial motive.
The Threat Hunter team calls the breach of the critical organizations worrying, as North Korean-backed hacker groups are known for their cyber espionage. Symantec therefore does not rule out further exploitation of the cracked organizations later on.
Exactly which two critical infrastructure organizations are involved is not mentioned. One of the two is in the US and the other in Europe. Both are ‘energy suppliers who generate energy and supply it to the grid’, the team clarifies against Bleeping Computer. Because in addition to 3CX, at least four other organizations have already been hacked by the software, Symantec says it is very likely that other parties are also affected. “The attackers behind these breaches clearly have a successful template for supply chain attacks and new, similar attacks cannot be ruled out.”
In late March, it became apparent that attackers were misusing 3CX’s desktop client to distribute malware via a supply chain attack. The malware made it possible to listen in on conversations and voicemail messages. 3CX is a VoIP provider with customers such as McDonald’s and Coca-Cola, as well as the UK healthcare sector.