3CX hack highlights risk of cascading software supply-chain compromises

/in


At the end of March, an international VoIP software company called 3CX with over 600,000 business customers suffered a serious software supply-chain compromise that resulted in both its Windows and macOS applications being poisoned with malicious code. New evidence suggests the attackers, believed to be North Korean state-sponsored hackers, gained access to the company’s network and systems as a result of a different software supply-chain attack involving a third-party application for futures trading.

“The identified software supply chain compromise is the first we are aware of which has led to a cascading software supply chain compromise,” incident responders from cybersecurity firm Mandiant, who was contracted to investigate the incident, said in a report Thursday. “It shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions as demonstrated in this investigation.”

The North Korean connection to the 3CX attack

The 3CX hack involved attackers compromising the company’s internal software build servers for Windows and macOS because of lateral movement activity through the company’s network. As a result, they were able to inject malicious libraries into versions of the 3CX Desktop App for Windows and macOS and have them be signed with the developer’s certificate during the build process. The trojanized versions were then delivered as part of the update process.

Windows versions 18.12.407 and 18.12.416 that were shipped in Update 7 were impacted, as well as macOS versions 18.11.1213 shipped with Update 6, and 18.12.402, 18.12.407 and 18.12.416 included in Update 7.

The trojanized Windows version deployed an intermediate malware downloader that Mandiant named SUDDENICON that reaches out to a GitHub repository to obtain command-and-control (C2) addresses hidden inside icon files. The downloader then contacts the C2 server and deploys an information stealer dubbed ICONICSTEALER that collects application configuration data as well as browser history.

Researchers from Kaspersky Lab reported that in some cases the attackers deployed an additional backdoor program on some 3CX victims. This backdoor is known as…

Source…