North Korea-linked 3CX supply chain attack was actually two attacks
A recent North Korea-linked supply chain attack targeting video conferencing tool 3CX was actually two supply chain attacks in one, researchers at Mandiant have found.
Driving the news: Researchers laid out their findings in a blog post published Thursday, saying the discovery marks the "first time Mandiant has seen a software supply chain attack lead to another software supply chain attack."
- North Korean state-backed hackers first gained access to 3CX's software after infiltrating and distributing a malware-laced version of X_Trader, a markets-tracking platform developed by Trading Technologies, Mandiant found in its investigation.
Zoom out: Supply chain attacks are difficult to pull off, but highly effective when done correctly.
- In this type of attack, malicious hackers leverage a security flaw in a third-party vendor to gain access to their customers' networks, often by distributing malware.
- For example, the infamous SolarWinds cyber espionage campaign a couple years ago was a supply chain attack that ultimately allowed Russian state-backed hackers to push out a tainted software update that gave them access to 100 companies and nine federal agencies.
Catch up quick: The attack on 3CX last month had the potential to be even bigger than SolarWinds. 3CX claims to have 600,000 enterprise customers.
- However, North Korean attackers targeted only a handful of cryptocurrency firms, according to researchers at Kaspersky.
Details: Trading Technologies discontinued X_Trader back in 2020, but Mandiant says a version of the platform was still available to download on the company's website in 2022.
- Last year, Google's threat analysis group reported a compromise of Trading Technologies' website in February 2022. Researchers linked the hack to a North Korean government-backed group.
- Mandiant suspects that a North Korea-linked group known as UNC4736 was behind the attack. 3CX confirmed last week that a North Korean state-backed group was behind its attack.
Threat level: A double supply chain attack is certainly an escalation for North Korean hackers.
- Historically, North Korean groups have stuck to phishing campaigns and one-off hacks of crypto firms and other major organizations.
- "Cascading software supply chain compromises demonstrate that North Korean operators can exploit network access in creative ways to develop and distribute malware," the Mandiant report says.
Sign up for Axios’ cybersecurity newsletter Codebook here