Lazarus, the prolific North Korean hacking group behind the cascading supply chain attack targeting 3CX, also breached two critical infrastructure organizations in the power and energy sector and two other companies involved in financial trading through the trojanized application X_TRADER.
The new findings, courtesy of Symantec’s Threat Hunter team, confirm earlier suspicions that the X_TRADER application compromise affected more organizations than 3CX. The names of the organizations were not disclosed.
Eric Chien, director of security response at Broadcom-owned Symantec, told The Hacker News in a statement that the attacks took place between September 2022 and November 2022.
“The impact of these infections is unknown at this time — more research is required and ongoing,” Chien said, adding that there is “probably more to this story, and possibly even other packages that are trojanized.”
The development comes as Mandiant revealed that the 3CX desktop application software compromise last month was facilitated by another software supply chain breach targeting X_TRADER in 2022 after an employee downloaded the install tainted software onto your personal computer.
It is currently unclear how UNC4736, a North Korean nexus actor, tampered with X_TRADER, a trading software developed by a company called Trading Technologies. Although the service was discontinued in April 2020, it was still available for download on the company’s website as recently as last year.
Mandiant’s investigation has revealed that the backdoor (called VEILEDSIGNAL) injected into the corrupt X_TRADER application allowed the adversary to gain access to the employee’s computer and divert their credentials, which were then used to break the 3CX network, move laterally and compromise Windows and Windows. macOS build environments for injecting malicious code.
The interconnected attack in scope appears to have substantial overlap with previous North Korea-aligned groups and campaigns that have historically targeted cryptocurrency companies and carried out financially motivated attacks.
The Google Cloud subsidiary has assessed with “moderate confidence” that the activity is linked to AppleJeus, a persistent campaign targeting crypto companies for financial theft. Cybersecurity firm CrowdStrike previously attributed the attack to a Lazarus cluster it calls Labyrinth Chollima.
Google’s Threat Analysis Group (TAG) previously linked the same adversary collective to the February 2022 compromise of the Trading Technologies website for serving an exploit kit that took advantage of a browser zero-day flaw Chrome web.
ESET, in an analysis of a disparate campaign by the Lazarus Group, revealed a new piece of Linux-based malware called SimplexTea that shares the same network infrastructure identified as used by UNC4736, further expanding existing evidence that the 3CX hack was orchestrated by the threat of North Korea. actors
“[Mandiant’s] finding a second supply chain attack responsible for the 3CX compromise is a revelation that Lazarus may be increasingly turning to this technique to gain initial network access to its targets,” said the malware researcher by ESET Marc-Etienne M.Léveillé in The Hacker News.
The compromise of the X_TRADER app further alludes to the financial motivations of the attackers. Lazarus (also known as Hidden Cobra or Zinc) is an umbrella term for a group of various sub-groups based in North Korea that engage in both espionage and cybercriminal activities on behalf of the Hermit Kingdom as a means of evading international sanctions.
Symantec’s breaking of the infection chain corroborates the deployment of the VEILEDSIGNAL modular backdoor, which also incorporates a process injection component that can be injected into Chrome, Firefox, or Edge web browsers. The module, in turn, contains a dynamic link library (DLL) that connects to the Trading Technologies website for command and control (C2).
“The discovery that 3CX was breached by another earlier supply chain attack made it highly likely that more organizations will be affected by this campaign, which now turns out to be much broader than originally believed,” Symantec concluded.
The recent Lazarus X_TRADER hack has caused significant disruption to critical infrastructure, far beyond the initial 3CX breach. Businesses worldwide now face the same threat of malicious actors attempting to exploit customer data or confidential records for financial gain. Ikaroa’s team of cybersecurity experts are urging all companies to remain vigilant following the news, and to routinely evaluate and update their security practices.
Ikaroa is committed to staying ahead of the latest cyber threats and attacks, offering a range of security solutions tailored to each business’s unique requirements. This includes implementation of secure networks and end-user authentication, regular vulnerability scans to identify any potential exploits, and the implementation of stringent access control measures. In the wake of this attack, many businesses are turning to Ikaroa for help with protecting their data and reducing the risk of malicious actors taking advantage of any vulnerabilities.
Ikaroa is a leading firm in providing comprehensive security solutions to businesses in all industries. Our team of certified security experts are available to offer guidance and advice on the latest threat trends, as well as provide tailored solutions for any business. We understand the need to protect valuable data from malicious actors, which is why we always strive to stay ahead of threats to guarantee uptime and data integrity for all of our customers.
It is essential for all businesses to be proactive when it comes to risk management and security, especially with increasingly sophisticated and targeted attacks. Ikaroa can provide insight and advice on the latest threats, as well as comprehensive security solutions tailored to fit the requirements of any business. The Lazarus X_TRADER hack has illustrated just how easy and damaging it can be for malicious actors to infiltrate critical networks, but with Ikaroa, businesses can rest assured that their data and systems are safe and secure.