North Korean Attack on 3CX Involved a Rare Double Supply Chain Compromise

New Lazarus campaign targets Linux for first time, Europe’s air-traffic control agency under DDoS attacks, China developing satellite cyber attacks, CFPB employee emailed 256K consumer records, more

Photo by Steve Barker on Unsplash

Researchers at Mandiant discovered that 3CX, a VoIP provider whose software was corrupted by North Korea spreading malware to potentially hundreds of thousands of its customers, was the victim of corrupted software of financial software firm Trading Technologies, a rare, or perhaps even unprecedented, example of how a single group of hackers used one software supply chain attack to carry out a second one.

The two-linked supply chain attacks were conducted by Kimsuky, Emerald Sleet, or Velvet Chollima, which is widely believed to be working on behalf of the North Korean regime.

Mandiant says the hackers somehow managed to slip backdoor code into an application available on Trading Technology's website known as X_Trader. That infected app, when it was later installed on the computer of a 3CX employee, allowed the hackers to spread their access through 3CX's network, reach a server 3CX used for software development, corrupt a 3CX installer application, and…