In Brief We thought it was probably the case when the news came out, but now it's been confirmed: The X_Trader supply chain attack behind the 3CX compromise last month wasn't confined to the telco developer.

Quite the contrary, in fact, according to Symantec. "To date, [we] found that among the victims are two critical infrastructure organizations in the energy sector, one in the US and the other in Europe. In addition to this, two other organizations involved in financial trading were also breached," Symantec announced without naming any names. 

For those unfamiliar with the incident, 3CX reported a supply chain attack that saw its 3CX DesktopApp compromised with a trojanized version of the X_Trader futures trading app published by Trading Technologies. 

3CX's VoIP products are used by a variety of high-profile clients, including Mercedes Benz, Air France, the UK's National Health Service. 3CX's CEO copped to the compromise when customers began noticing strange behavior in their instances of the DesktopApp.

It's still not immediately clear when or exactly where the supply chain attack started, but Symantec said it appears to be financially motivated and is targeting critical infrastructure targets. With that in mind, Symantec said the behavior lines up with North Korean habits of engaging in financially-motivated attacks that double as espionage missions. 

With that in mind, "it cannot be ruled out that strategically important organizations breached during a financial campaign are targeted for further exploitation," Symantec warned. 

As we noted in previous coverage of the 3CX attack, North Korea wouldn't be a surprise source. It attacked the X_Trader installer in 2021 to install the VEILEDSIGNAL backdoor. Technical analysis of the malware by both Symantec and Mandiant found traces of VEILEDSIGNAL in the chain of attacks used to compromise installs of 3CX DesktopApp. 

Symantec published a list of indicators of compromise (IOCs) with its analysis of the malware. If your environment is running any 3CX software it might be a good idea to ensure those IoCs are included in your security software.

Finland sentences CEO for a breach at his company

Leave it to the Finns to come up with such a novel concept: The former CEO of a hacked psychotherapy center was handed a prison sentence for his role in failing to pseudonymize and encrypt patient health records, as required under the EU's General Data Protection Regulation.

The court originally said the seriousness of the crime justified an unconditional jail sentence, but since former boss Ville Tapio had no prior criminal record the court settled on a three month suspended sentence, the Finnish Broadcasting Company (Yle) reported.

The breach occurred in 2020 and saw tens of thousands of patient records published online, where cyber criminals used the patient records - including session notes and personal details - to blackmail those caught up in the leak. Tapio was fired by the board of the Vastaamo psychotherapy clinic shortly after the breach. 

The court said this week that the company's database stored patient records in plain language without adequate encryption, and characterized Tapio's behavior as "particularly reprehensible" given the sensitive nature of the information Vastaamo stored. 

French police arrested the alleged hacker in the case, Julius "Zeekill" Kivimäki, in February. First identified as a suspect in the case in October of last year, Kivimäki has a considerable cyber crime rap sheet. ®

https://www.theregister.com//2023/04/24/in_brief_security/