The X_Trader supply chain attack may be more widespread than initially thought.
Welcome to Cyber Security Today. It’s Monday, April 24th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
Last month IT security professionals were stunned to learn the 3CX desktop telephony client used by many businesses had been compromised in a supply chain attack. Then last week came the surprising news that compromise started when a 3CX employee downloaded a compromised version of an app that helps in the trading of futures called X_Trader. That made it a supply chain attack within a supply chain attack. Now the latest surprise: Four other companies were also victimized by firms that downloaded X_Trader. That’s according to researchers at Symantec. Two of the four firms were unnamed energy companies — one in the U.S., the other in Europe. The other two were unidentified financial trading firms. It means this supply chain attack may be wider than people realize. It is believed a North Korean group was responsible for compromising X_Trader, an application for professional futures traders. North Korean-sponsored actors are known to do both espionage and financially motivated attacks, says Symantec. It’s possible, they add, those strategically important organizations breached during a financial campaign are targeted for further exploitation. The compromised X_Trader software installs a backdoor on victims’ computers.
Infected versions of Zoom, Cisco Systems’ AnyConnect client, ChatGPT and Citrix Workspace are circulating on the internet. According to researchers at Secureworks, they are infected with the Bumblebee malware and may lead to the delivery of ransomware. These compromised versions are being spread through malicious Google Ads or phishing messages sent to potential victims. IT departments may allow employees to download some applications for business use. But staff should be told these downloads can only be made from approved websites or app stores, and never from ads or offers they get in an email.
Attention IT administrators who have Kubernetes containers in their environments: Hackers are exploiting Kubernetes’ role-based access control to create backdoors into systems. According to researchers at Aquasec, this is another example of the dangers of misconfigured Kubernetes clusters. The researchers gained their insight from an attack on an Aquasec honeypot, which is a lure left on the internet to see how hackers work. In this case a deliberately misconfigured API server allowed an attacker to eventually get into the cluster’s role-based access control. That would allow the attacker to create a new user for themselves and ultimately steal data. The lesson is Kubernetes clusters have to be carefully configured to avoid exploitation.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.