cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Even more victims found in complex 3CX supply chain attack

Security researchers at Symantec have uncovered a number of new victims in the supply chain attack that saw 3CX’s video conferencing software compromised.

user icon David Hollingworth
Mon, 24 Apr 2023
Even more victims found in complex 3CX supply chain attack
expand image

However, these are not downstream victims of the 3CX hack but rather victims of the same malicious software that compromised 3CX in the first place.

Symantec’s Threat Hunter Team reported the discovery on 22 April, so it’s entirely possible that more victims have turned up since then.

At that stage, however, it had discovered four further infections but declined to name the victims.


“Initial investigation by Symantec’s Threat Hunter Team has, to date, found that among the victims are two critical infrastructure organisations in the energy sector, one in the US and the other in Europe,” Symantec’s researchers said in a blog post.

“In addition to this, two other organisations involved in financial trading were also breached.”

Like other researchers, and even 3CX itself, Symantec concurs that the threat actor is likely linked to the DPRK.

“North Korean-sponsored actors are known to engage in both espionage and financially motivated attacks, and it cannot be ruled out that strategically important organisations breached during a financial campaign are targeted for further exploitation,” Symantec added.

Researchers at Mandiant found that 3CX’s video conferencing software was compromised by another, prior supply chain attack last week. Someone at 3CX had downloaded an apparently legitimate app from trading software provider Trading Technologies — an app that was itself compromised.

The software in question was called X_TRADER, and though the app has been discontinued, it is still available on Trading Technologies’ website. But the North Korean Lazarus group had already compromised that software.

Once inside 3CX’s systems, the threat actor was able to steal an employee’s credentials, which, in turn, gave the threat actors access to 3CX’s own build environment.

“Once they figured out that they had access to a company that likely has a lot of customers,” said Marius Fodoreanu of Mandiant, “they decided to continue to move forward and compromise the environment and then compromise the software”.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.