Tue | Apr 25, 2023 | 4:17 AM PDT

With hackers becoming more sophisticated and security measures evolving to protect against traditional forms of cyberattacks, supply chain attacks have emerged as a new and increasingly prevalent method of attack.

These types of attacks involve targeting third-party vendors or suppliers, which are typically less secure and easier to breach than the primary target. This allows hackers to gain access to an organization's network without having to directly breach its defenses. 

One such attack, which targeted VoIP phone systems provider 3CX, has now been found to have affected not only 3CX but also several critical infrastructure organizations, according to cybersecurity firm Symantec.

The campaign was executed by suspected North Korean threat actors associated with the infamous Lazarus Group, who Trojanized the "X_Trader" software produced by Trading Technologies. Once installed on the computer of a 3CX employee, the app subsequently provided the hackers with a backdoor into the firm's network.

Security researchers have revealed that the same Trojan used to breach 3CX also infected two critical infrastructure organizations in the energy sector, one in the U.S. and one in Europe. Additionally, two organizations working in the financial trading sector were also compromised.

It is believed that the X_Trader supply chain attack was financially motivated, as Trading Technologies facilitates futures trading, including energy futures.

Symantec highlighted that the compromise of critical infrastructure targets is a source of concern. The company said:

"North Korean-sponsored actors are known to engage in both espionage and financially motivated attacks and it cannot be ruled out that strategically important organizations breached during a financial campaign are targeted for further exploitation."

Security researchers also explained that once the legitimate X_Trader executable is installed, it side-loads two malicious DLLs. The first, "winscard.dll," contains code to load and execute a payload from the second, "msvcr100.dll," which is a modular backdoor called "VeiledSignal." The process for installing the final payload is almost the same as that used with the Trojanized 3CX app: two side-loaded DLLs are used to extract a payload from an encrypted blob.

Mandiant also recently reported that 3CX was breached by another, earlier supply chain attack, making it highly likely that further organizations could be impacted by this campaign, which now transpires to be far more wide-ranging than originally believed.

The success of these supply chain attacks highlights the attackers' proficiency in this method, making it highly probable for them to launch similar attacks in the future. Organizations must remain alert and take strong security measures to prevent such incidents and minimize the potential damages to critical infrastructure.

Follow SecureWorld News for more stories related to cybersecurity.