North Korean Hackers Target Cryptocurrency Firms in Massive 3CX Supply Chain Hack – Here's What Happened
Russian cybersecurity firm Kaspersky has warned of a new form of attack on cryptocurrency firms, which it says is carried out with "surgical precision" by hackers using corrupted software.
Kaspersky's research identified several crypto-focused companies as victims of the 3CX software supply-chain attack in the past week.
While it did not name the targeted firms, it did reveal they were based in "western Asia".
The attack, which is believed to have been carried out on behalf of the North Korean government, involved corrupting the widely used VoIP application, 3CX, to push the hackers' code onto victims' machines.
The hackers failed
Georgy Kucherin, a researcher on Kaspersky's GReAT team of security analysts, said that this attack type is "becoming very common," and explained:
"During supply-chain attacks, the threat actor conducts reconnaissance on the victims, collecting information, then they filter out this information, selecting victims to deploy a second-stage malware.”
The filtering is meant to help the attackers avoid detection, given that deploying the second-stage malware to many victims becomes easier to detect.
However, something seems to have gone wrong here.
The 3CX supply-chain attack was detected quickly, at least compared to others, Kucherin said. Security companies like CrowdStrike and SentinelOne detected the installation of the initial malware last week already, less than a month after it was deployed.
"They tried to be stealthy, but they failed," Kucherin says. "Their first-stage implants were discovered."
CrowdStrike and SentinelOne identified North Korean hackers as the attackers who compromised 3CX installer software used by 600,000 organizations globally, per Wired.
Kaspersky further found that the hackers sifted through the victims they infected to identify and deliberately target "fewer than 10 machines" connected to crypto firms. This is at least the data gathered so far.
It seems that it is becoming more common for state-sponsored hackers to exploit software supply chains in order to infect thousands of organizations, but then only focus on a few victims.
Kusherin was quoted as saying that,
"This was all just to compromise a small group of companies, maybe not just in cryptocurrency, but what we see is that one of the interests of the attackers is cryptocurrency companies. [...] Cryptocurrency companies should be especially concerned about this attack because they are the likely targets, and they should scan their systems for further compromise."
But because the attackers were caught, it's yet unclear if the campaign was successful. Kucherin said that Kaspersky so far hasn't seen any evidence of actual crypto theft from the companies found to be targeted with this specific malware.
More companies, including those outside of the crypto industry, are likely future targets. Tom Hegel, a security researcher with SentinelOne, added that,
"The current theory at this point is that the attackers did initially target crypto firms to get into those high-value organizations. [...] I’m going to guess that once they saw the success of this, and the kinds of networks they were in, other objectives probably came into play."
He added that the situation is "unfolding very quickly," and that there is still more to learn about the victims and potential targets. "But from an attacker standpoint," Hegel said, "if all they did was target crypto firms, this was a dramatic wasted opportunity."
A third of crypto users fell victim to scams
Meanwhile, Kaspersky surveyed 2,000 Americans in October last year, finding that a third of those who owned crypto also experienced it being stolen.
The average value of theft was $97,583.
A third said they had fallen victim to a fraudulent crypto-related website or investment scam.
Among the victims, 19% saw their identities stolen, while 27% saw their personal details stolen and money from their bank accounts.
Marco Rivero, a senior security researcher at Kaspersky GReAT, said that "this survey data shows a lot of people are getting their crypto stolen and even experiencing identity theft."
Users should keep an eye out for phishing scams and fake websites, employ any extra security measures available to them, such as multi-factor authentication, and use strong, unique passwords across all accounts, Rivero advised.
Meanwhile, hackers stealing crypto for the North Korean regime is not a new phenomenon. You can read more about it below.
- New Report Exposes How North Korean Hackers Use Cloud Computing to Launder Crypto Loot – Should You Be Worried?
- Wallet Addresses Linked to $200 Million Euler Exploit and Axie Infinity Hack Mysteriously Interact – Are North Korean Hackers Involved?
- Seoul: Sanctions May Be Ineffective Against North Korea’s Crypto Hacks
- New North Korean Ransomware Threat to ‘Major Institutions’ Detected, Say South Korea, US
- Web 3 Hackers Are Getting Smarter: Here’s How to Stay Safe
- Is Cryptocurrency Safe to Invest in 2023? How to Avoid Crypto Scams