Massive 3CX Supply-Chain Hack Targeted Cryptocurrency Firms


Software supply-chain attacks, in which hackers corrupt widely used applications to push their own code to thousands or even millions of machines, have become a scourge, both insidious and potentially huge in the breadth of their impact. But the latest major software supply-chain attack, in which hackers who appear to be working on behalf of the North Korean government hid their code in the installer for a common VoIP application known as 3CX, seems so far to have had a prosaic goal: breaking into a handful of cryptocurrency companies.

Researchers at Russian cybersecurity firm Kaspersky today revealed that they identified a small number of cryptocurrency-focused firms as at least some of the victims of the 3CX software supply-chain attack that’s unfolded over the past week. Kaspersky declined to name any of those victim companies, but it notes that they’re based in “western Asia.” 

Security firms CrowdStrike and SentinelOne last week pinned the operation on North Korean hackers, who compromised 3CX installer software that’s used by 600,000 organizations worldwide, according to the vendor. Despite the potentially massive breadth of that attack, which SentinelOne dubbed “Smooth Operator,” Kaspersky has now found that the hackers combed through the victims infected with its corrupted software to ultimately target fewer than 10 machines—at least as far as Kaspersky could observe so far—and that they seemed to be focusing on cryptocurrency firms with “surgical precision.”

“This was all just to compromise a small group of companies, maybe not just in cryptocurrency, but what we see is that one of the interests of the attackers is cryptocurrency companies,” says Georgy Kucherin, a researcher on Kaspersky’s GReAT team of security analysts. “Cryptocurrency companies should be especially concerned about this attack because they are the likely targets, and they should scan their systems for further compromise.”

Kaspersky based that conclusion on the discovery that, in some cases, the 3CX supply-chain hackers used their attack to ultimately plant a versatile backdoor program known as Gopuram on victim machines, which the researchers describe as “the final payload in the attack chain.” Kaspersky says the appearance of that malware also represents a North Korean fingerprint: It has seen Gopuram used before on the same network as another piece of malware, known as AppleJeus, linked to North Korean hackers. It’s also previously seen Gopuram connect to the same command-and-control infrastructure as AppleJeus, and has seen Gopuram used previously to target cryptocurrency firms. All of that suggests not only that the 3CX attack was carried out by North Korean hackers, but that it may have been intended to breach cryptocurrency firms in order to steal from those companies, a common tactic of North Korean hackers ordered to raise money for the regime of Kim Jong-Un.

It has become a recurring theme for sophisticated state-sponsored hackers to exploit software supply chains to access the networks of thousands of organizations, only to winnow their focus down to a few victims. In 2020’s notorious Solar Winds spy campaign, for instance, Russian hackers compromised the IT monitoring software Orion to push malicious updates to about 18,000 victims, but they appear to have stolen data from only a few dozen of them. In the earlier supply chain compromise of the CCleaner software, the Chinese hacker group known as Barium or WickedPanda compromised as many as 700,000 PCs, but similarly chose to target a relatively short list of tech firms.

#Massive #3CX #SupplyChain #Hack #Targeted #Cryptocurrency #Firms


Related Posts

Marvel’s Blade Movie Delayed by Writer’s Strike

[ad_1] Marvel’s vampire hunter Blade is a fierce warrior but he may have finally met his match: labor unions. The upcoming, long-in-development reboot of the Marvel franchise…

How to Watch the Coronation of King Charles III Live

[ad_1] King Charles III officially shed his princedom when Queen Elizabeth II died, and the British royal’s new position will be formalized on May 6 in a coronation…

‘Quordle’ today: See each ‘Quordle’ answer and hints for May 6

[ad_1] If Quordle is a little too challenging today, you’ve come to the right place for hints. There aren’t just hints here, but the whole Quordle solution….

How to use a passkey instead of a password to sign into your Google account

[ad_1] Passwords have always been a necessary evil, giving you the choice of either using one that is too simple (so you can easily remember it) or…

Amazon quietly acquired audio content discovery engine Snackable AI to boost its podcast projects

[ad_1] Amazon quietly acquired New York-based audio content discovery engine Snackable AI last December to boost its podcast features, as first reported by New York Post. The…

Warhammer 40K’s New Tyranid Screamer-Killer Is a Great Update

[ad_1] A new edition of Warhammer 40K means new models—and for some of the 40-year-old wargaming franchise’s creatures and characters, that means updates they’ve not had in…

Leave a Reply

Your email address will not be published. Required fields are marked *