Massive 3CX supply chain hack targeting cryptocurrency companies


Software supply chain attacks, Hackers have become a scourge that can be insidious and potentially large in scope, with hackers compromising widely used applications to push their own code onto thousands or even millions of machines. But the latest major software supply chain attack, in which hackers appearing to work on behalf of the North Korean government hid code for a popular VoIP application called 3CX, appears to have a more prosaic goal. Breaking into a handful of cryptocurrency companies.

Researchers at Russian cybersecurity firm Kaspersky have identified at least a small number of cryptocurrency-focused organizations as victims of last week’s 3CX software supply chain attack. Kaspersky declined to name any of these victim companies, but said they were based in “West Asia.”

Security firms CrowdStrike and SentinelOne last week linked the operation to North Korean hackers who compromised the 3CX installer software used by 600,000 organizations worldwide, the vendor said. Despite the sheer scale of that attack, which Sentinel ON called a “soft operator,” Kaspersky now says hackers have combined victims with compromised software to ultimately target fewer than 10 machines — at least as far as Kaspersky has confirmed. Far – and they seem to focus on “surgical precision” cryptocurrency companies.

Georgiy Kucherin, a researcher at Kaspersky GReAT security analyst group, said: “All this was just to compromise a small group of companies, maybe not only in cryptocurrency, but one of the interests of the attackers is cryptocurrency companies. . “Cryptocurrency companies should be concerned about this attack because they are potential targets and should check their systems for more compromises.”

Kaspersky based its findings on the fact that, in some cases, 3CX supply chain hackers used their exploits to eventually install a multipurpose daemon known as Gopuram on victims’ machines, which the researchers called “the final installment in the attack chain.” ” Kaspersky said that the appearance of that malware represented a North Korean footprint: Gopuram saw it being used on the same network as another piece of malware linked to North Korean hackers, called AppleJeus. Gopuram has also been seen connecting to command-and-control infrastructure like AppleJays, and Gopuram has previously been seen using it to target cryptocurrency companies. All this indicates that the 3CX attack was not only carried out by North Korean hackers, but also that it was intended to hack kriptovalyutnyh companies in order to steal from them. The regime of Kim Jong-un.

It has become a recurring theme that sophisticated government-sponsored hackers use the software supply chain to gain access to the networks of thousands of organizations, shifting their focus to a few victims. In the year In 2020’s infamous Solarwind spying campaign, for example, Russian hackers compromised the IT monitoring software Orion to push harmful updates to nearly 18,000 victims, but appear to have stolen data from only a few dozen. A Chinese hacking group known as Barium or WickedPanda previously compromised up to 700,000 PCs in the CCleaner software supply chain deal, but chose to target an equally short list of tech companies.



Source link

Related posts

Leave a Comment

10 + 18 =