Skip to main content
close search
site logo

Supply chain attack that hit 3CX caught at least 4 other victims, Symantec says

Malware-laced financial trading software X_Trader ensnared two critical infrastructure organizations in the energy sector, one in the U.S., and one in Europe.

Published April 24, 2023
Matt Kapko's headshot
Senior Reporter
Abstract planet made up of squares.
Gegham Qalajyan via Getty Images

The software supply chain attack against X_Trader has claimed at least four additional victim organizations, the Symantec Threat Hunter Team said Friday.

The compromised software, originally developed by Trading Technology, caused another supply chain attack at 3CX. The newly identified victims include two critical infrastructure organizations in the energy sector and two organizations involved in financial trading. 

Symantec's research built off information Mandiant and 3CX released Thursday following an investigation into the compromise of 3CX and its build environment.

“The information released about the X_Trader compromise enabled us to identify more attacks and additional indicators of compromise,” Dick O’Brien, principal intelligence analyst at Symantec Threat Hunter Team, said via email. 

The intrusion at 3CX occurred when a 3CX employee used their credentials to download malware-laced X_Trader software on their computer. This backdoor allowed the threat actor to access and insert malicious code into the 3CX build environment, Mandiant Consulting CTO Charles Carmakal said Wednesday in a press briefing.

Mandiant warned the likelihood of additional victims from the X_Trader supply chain attack is high. The financial trading software from Trading Technologies was compromised and infected with VeiledSignal malware, a full-feature backdoor, in early 2022.

The software was retired in 2020, but it remained available for download until 2022. It is no longer available. 

X_Trader and 3CX, which has more than 600,000 business customers globally, were compromised by a North Korea-linked adversary Mandiant identifies as UNC4736.

Crowdstrike, which attributed the supply chain attack to Labyrinth Chollima, a prolific advanced persistent threat linked to North Korea and connected to Lazarus, discovered malicious activity on the 3CX desktop app in late March. 3CX quickly hired incident response firm Mandiant to investigate the attack.

There’s no information to suggest another software supply chain attack is linked to the multitiered attack, O’Brien said. “Right now it looks like all are victims of the X_Trader supply chain attack.”

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Tech Ambitions Collide with Reality: 2025 Technology Impact Report Exposes Critical Readiness…
From Omnia Strategy Group, LLC
October 21, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
DigiCert Welcomes Lakshmi Hanspal as New Chief Trust Officer
From DigiCert
October 24, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell