3CX Hackers Target Critical Infrastructure | Microsoft Hacker Taxonomy
In this episode of GRXcerpts:
3CX hackers target critical infrastructure
A warning to critical infrastructure organizations in the UK
The new hacker taxonomy announced by Microsoft
3CX Hackers Target Critical Infrastructure
The hacking group responsible for the supply chain attack targeting the software company 3CX has struck again. Several other organizations have been breached using the trojanized X_Trader application, at least two in the energy sector and two in financial services. According to Symantec, “The attackers behind these breaches clearly have a successful template for software supply chain attacks, and further similar attacks cannot be ruled out.”
The North Korean hacking group Lazarus is believed to be behind the attacks and typically engages in espionage and financially-motivated attacks. The 3CX incident resulted from an employee downloading a trojanized installer of the X_TRADER software, which then deployed a multi-stage backdoor to execute shellcode, injecting a communication module into Chrome, Firefox, or Edge processes, then terminated itself. Once inside, attackers were able to steal corporate credentials from the employee’s device and used them to move laterally through 3CX’s network, eventually breaching both Windows and macOS build environments. In March, security researchers reported that the 3CX Desktop App had malware. Mandiant, who helped investigate the incident, also believes several organizations still don’t know they are compromised.
UK National Cyber Security Centre Alert
The UK National Cyber Security Centre (or NCSC) has issued an alert to critical national infrastructure organizations warning of an emerging threat from state-aligned groups. Organizations most likely to be targeted are those sympathetic to Russia’s invasion of Ukraine.
The NCSC reports that a new class of Russian cyber adversaries appeared a year and a half ago, and their threats are ideologically motivated rather than financially driven. Additionally, these threat actors are not subject to formal state control, so their actions are less constrained and more unpredictable. The groups are expected to look for opportunities to disrupt operations and spread misinformation, and they prey on poorly protected systems. The NCSC recommends that larger organizations use the Cyber Assessment Framework to help identify areas for improvement.
Microsoft Hacker Naming Taxonomy
And in other news, Microsoft has announced a new naming taxonomy to track cyber attacks. Hackers will now be named after the weather instead of the old naming convention using trees, volcanos and elements. According to Microsoft, the new taxonomy will provide better context to customers and security researchers, offer a more organized and memorable way to reference adversary groups, and help organizations better prioritize threats and make well-informed decisions.
The taxonomy will include five key groups, including nation-state actors, financially motivated actors, private sector offensive (or PSOA) actors, influence operations, and groups still in development. As an example, if a threat comes from an unknown source, Microsoft will give it the temporary name “storm” and a four-digit number.
Nation-state hackers will receive names based on weather events where the groups are operating– Typhoon for China, Sandstorm for Iran, Sleet for North Korea, and Blizzard for Russia as examples.
Similarly, phishers and financially-driven hacking groups will be called “Tempest,” PSOAs will be called “Tsunamis,” and influence operations and manipulative information campaigns will be called “Floods.”
Type of Attack
Private Sector / Offensive Attack
Influence Operations / Manipulative information
Microsoft says all existing threat actors have been reassigned to the new taxonomy. So Cozy Bear, also known as “APT29”, who is suspected of perpetrating the 2020 SolarWinds attack, is no longer called “Nobelium” but, under the new taxonomy, becomes “Midnight Blizzard.”
The Russian-affiliated threat actor “Strontium,” which successfully disrupted Microsoft last year, is now called “Forest Blizzard.” And the hacker group “Laspsus$,” who attacked Microsoft, Nvidia, and Samsung, changes from “DEV-0537” to “Strawberry Tempest.”
We can only imagine what boardroom conversations will be like now as you share you’ve been breached, and the perpetrator was Pumpkin Sandstorm.
All information is current as of April 24, 2023. Subscribe to receive future episodes as they are released.
Get Cyber Risk Intel delivered to your inbox each week: