Software supply chain attacks, in which hackers corrupt widely used applications to push their own code to thousands or even millions of machines, has become a scourge, both insidious and potentially very impactful. But latest major software supply chain attackin which hackers apparently working on behalf of the North Korean government hid their code in the installer for a popular VoIP application known as 3CX, which seems to have had a far-reaching goal so far. Usually: break into some crypto company.
Researchers at Russian cybersecurity firm Kaspersky today revealed that they have identified a handful of crypto-focused companies that are at least some of the victims of a software supply chain attack. 3CX took place this past week. Kaspersky declined to name any of the victim companies, but noted that they were based in “West Asia”.
Security firms CrowdStrike and SentinelOne last week identified this activity targeting North Korean hackers, who compromised the 3CX installer software used by 600,000 organizations worldwide, according to the vendor. grant. Despite the potential scale of that attack, which SentinelOne calls “Smooth Operators,” Kaspersky has now found that hackers have screened victims infected with its corrupted software to last same targeting less than 10 machines — at least as far as Kaspersky can observe. far—and they seem to be focusing on crypto companies with “surgical precision.”
“All of this is meant to compromise only a small group of companies, maybe not just in the crypto-currency sector, but what,” said Georgy Kucherin, researcher at Kaspersky’s GReAT security analysis team. We find that one of the concerns of attackers is crypto companies.” . “Cryptocurrency companies should be particularly concerned about this attack as they can be targets and they should scan their systems for further compromises.”
Kaspersky came to that conclusion based on the finding that, in some cases, 3CX supply chain hackers used their attack to eventually install a flexible backdoor program called Gopuram. on victim machines, which the researchers describe as “the final payload in the attack chain. Kaspersky said the presence of that malware also represents a trail of North Korea: Gopuram was previously used on the same network as another malware, called AppleJeus, that was linked. with North Korean hackers. Gopuram has also been seen connecting to AppleJeus-like command and control infrastructure in the past, and has seen Gopuram used in the past to target crypto companies. All of which suggests that not only was the 3CX attack carried out by North Korean hackers, but it could also be aimed at compromising crypto companies to steal from those companies, a common tactic. by North Korean hackers to raise funds for the Kim Jong Un regime.
It has become a recurring theme for sophisticated state-sponsored hackers to exploit software supply chains to gain access to the networks of thousands of organizations, only to attract their attention. some victims. In the year 2020 infamous Solar Winds spy campaign, for example, Russian hackers compromised the Orion IT monitoring software to push malicious updates to about 18,000 victims, but they only seem to have stolen the data of a few dozen of them. In the previous supply chain breach of CCleaner software, a Chinese hacker group called Barium or WickedPanda compromised up to 700,000 PCs, but chose to do the same. targeting a relatively short list of tech companies.
