X_TRADER Supply Chain Attack Has Additional Victims
Symantec’s Threat Hunter Team says that the X_Trader supply chain attack that affected 3CX attack also affected at least four other organizations – two in the energy sector and two in the financial sector. A trojanized version of the X_Trader installer was used to compromise 3CX systems, which allowed that company’s software to become compromised as well.
The Symantec report doesn’t detail how the Trojaned X_Trader software got on the additional victims’ PCs. A safe guess is the same path as 3CX: reusable passwords used for corporate access from employee-owned Windows PC were harvested after users downloaded the trojaned installer onto their home computer. Yet another big reminder about (1) matching controls with policy, as it seems like the majority of organizations do have policy requiring 2FA, but haven’t implemented it; and (2) such “hybrid” work from home on employee-owned and vulnerable Windows PCs did not go away when Covid mask requirements ended.
Two topics to run to ground here: have they got a toehold in my network and can they spread laterally? For the first one, use the IOCs in the Symantec or Mandiant reports to determine if you have the trojanized X_Trader in your environment. For the second, consider your trust relationships. Beyond MFA to the endpoint, what happens with SSO? Can users SSO to any endpoint or to just those they have a need to access? What about privilege escalation? Do you have UAC set to always? How about requiring MFA for privileged actions? Do all your users have admin on their endpoints or do you only provide it where approved? Are you leveraging a PAM solution to manage local admin accounts? Leverage incremental increases in security to raise the bar.
The X_Trader application was built to support futures trading. Potential victims of the boogered version are likely trading institutions. If you are a company that uses the application, assume you’ve been breached until you are able to validate the X_Trader application with its developer – Trading Technologies.
It is now clear that at least some APTs are concentrating on software suppliers and the leverage they provide. In the face of an increase in risk, suppliers should consider a hiatus in shipments until they are satisfied that they can meet their obligation to customers not to ship contaminated code. The necessary changes to their processes to improve security will likely also lead to a general increase in efficiency.
William Hugh Murray
Read more in
Symantec: X_Trader Supply Chain Attack Affects Critical Infrastructure Organizations in U.S. and Europe
Dark Reading: Critical Infrastructure Organizations Further Affected in 3CX Breach
Bleeping Computer: Critical infrastructure also hit by supply chain attack behind 3CX breach
Security Week: North Korean 3CX Hackers Also Hit Critical Infrastructure Orgs: Symantec
The Register: That 3CX supply chain attack keeps getting worse: More victims found