In recent weeks, the cybersecurity industry has been working hard to understand the origins and fallout of the supply chain attack that caused the corruption of 3CX, a VoIP provider’s software. The attack, linked to North Korea, spread malware to potentially hundreds of thousands of its customers. Mandiant, a cybersecurity firm, has finally discovered how the state-sponsored hackers penetrated 3CX. The company was one of many victims infected with the corrupted software of another company, Trading Technologies, in what is a rare or even unprecedented example of a single group of hackers using one software supply chain attack to carry out a second one – a supply-chain chain reaction.
According to Mandiant, a 3CX employee’s PC was hacked through an earlier software-supply-chain attack that hijacked an application of Trading Technologies, conducted by the same hackers who compromised 3CX. The hacker group, known as Kimsuky, Emerald Sleet, or Velvet Chollima, is believed to be working on behalf of the North Korean regime. The hackers somehow managed to slip backdoor code into an application known as X_Trader, which was available on Trading Technology’s website.
When this infected app was later installed on a 3CX employee’s computer, it allowed the hackers to spread their access through 3CX’s network, reach a server 3CX used for software development, corrupt a 3CX installer application, and infect a broad swath of its customers. Mandiant claims that this is the first time they have found concrete evidence of a software-supply-chain attack leading to another software-supply-chain attack, making it significant. However, as Mandiant has not been hired by Trading Technologies to investigate the original attack, it doesn’t know how many victims there may have been from the compromise of that trading app.
In response to WIRED, a spokesperson for Trading Technologies stated that the company had been warning its users for 18 months that X_Trader would no longer be supported in 2020. The spokesperson emphasized that X_Trader is a tool for trading professionals and should not have been installed on a 3CX machine. Furthermore, the spokesperson clarified that 3CX was not a customer of Trading Technologies, and that any compromise of the X_Trader application does not affect its current software. However, 3CX did not respond to WIRED’s request for comment.
The motive behind the North Korean hackers’ interlinked software-supply-chain attacks is not entirely clear, but it seems to have been partly driven by theft. Kaspersky reported two weeks ago that some of the victims targeted with the corrupted 3CX application were cryptocurrency-related companies based in “Western Asia,” although they declined to name them. Kaspersky found that the hackers had delivered a piece of second-stage malware to only a tiny fraction of the hundreds of thousands of compromised networks, targeting them with “surgical precision.” Mandiant agrees that one of the goals of the North Korea–linked hackers is undoubtedly cryptocurrency theft, pointing to earlier findings from Google’s Threat Analysis Group that AppleJeus, a piece of malware tied to the same hackers, was used to target cryptocurrency services via a vulnerability in Google’s Chrome browser.
Mandiant also discovered that the same backdoor in 3CX’s software was inserted into another cryptocurrency application, CoinGoTrade, and that it shared infrastructure with yet another backdoored trading app, JMT Trading. All of this, along with the group’s targeting of Trading Technologies, suggests a focus on stealing cryptocurrency, according to Ben Read, Mandiant’s head of cyberespionage threat intelligence. A broad supply chain attack like the one that exploited 3CX’s software would “get you in places where people are handling money,” Read says. “This is a group heavily focused on monetization.”
However, Mandiant’s Carmakal notes that given the scale of these supply chain attacks, crypto-focused victims may still be just the tip of the iceberg. “I think we’ll learn about many more victims over time as it relates to one of these two software-supply-chain attacks,” he says. While researchers have speculated for years about whether other incidents were similarly interlinked, the Trading Technologies and 3CX compromises are the first known instance of one supply chain attack leading to another. For example, the Chinese group known as Winnti or Brass Typhoon carried out no fewer than six software-supply-chain attacks from 2016 to 2019, and in some of those cases, the method of the hackers’ initial breach was never discovered—and may well have been from an earlier supply chain attack.
According to notes by Carmakal from Mandiant, there were indications that the Russian hackers behind the SolarWinds supply chain attack were conducting reconnaissance on the software development servers of some of their victims. It’s possible that they were planning a subsequent supply chain attack, but their plans were disrupted. Typically, a hacker group that can execute a supply chain attack will target a wide range of victims, including software developers, who offer a valuable perspective for launching a follow-on supply chain attack. If 3CX was indeed the first company affected by this type of supply chain attack, it is unlikely to be the last.
Go to Source
Author: Andy Greenberg
