The software supply chain attack against X_Trader has claimed at least four additional victim organizations, the Symantec Threat Hunter Team said Friday.
The compromised software, originally developed by Trading Technology, caused another supply chain attack at 3CX. The newly identified victims include two critical infrastructure organizations in the energy sector and two organizations involved in financial trading.
Symantec's research built off information Mandiant and 3CX released Thursday following an investigation into the compromise of 3CX and its build environment.
“The information released about the X_Trader compromise enabled us to identify more attacks and additional indicators of compromise,” Dick O’Brien, principal intelligence analyst at Symantec Threat Hunter Team, said via email.
The intrusion at 3CX occurred when a 3CX employee used their credentials to download malware-laced X_Trader software on their computer. This backdoor allowed the threat actor to access and insert malicious code into the 3CX build environment, Mandiant Consulting CTO Charles Carmakal said Wednesday in a press briefing.
Mandiant warned the likelihood of additional victims from the X_Trader supply chain attack is high. The financial trading software from Trading Technologies was compromised and infected with VeiledSignal malware, a full-feature backdoor, in early 2022.
The software was retired in 2020, but it remained available for download until 2022. It is no longer available.
X_Trader and 3CX, which has more than 600,000 business customers globally, were compromised by a North Korea-linked adversary Mandiant identifies as UNC4736.
Crowdstrike, which attributed the supply chain attack to Labyrinth Chollima, a prolific advanced persistent threat linked to North Korea and connected to Lazarus, discovered malicious activity on the 3CX desktop app in late March. 3CX quickly hired incident response firm Mandiant to investigate the attack.
There’s no information to suggest another software supply chain attack is linked to the multitiered attack, O’Brien said. “Right now it looks like all are victims of the X_Trader supply chain attack.”