Tag Archive for: supply

N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX

/in


Cascading Supply Chain Attack

The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors.

Google-owned Mandiant, which is tracking the attack event under the moniker UNC4736, said the incident marks the first time it has seen a “software supply chain attack lead to another software supply chain attack.”

The Matryoshka doll-style cascading attack against 3CX first came to light on March 29, 2023, when it emerged that Windows and macOS versions of its communication software were trojanized to deliver a C/C++-based data miner named ICONIC Stealer by means of a downloader, SUDDENICON, that used icon files hosted on GitHub to extract the server containing the stealer.

“The malicious application next attempts to steal sensitive information from the victim user’s web browser,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an analysis of the malware. “Specifically it will target the Chrome, Edge, Brave, or Firefox browsers.”

Select attacks targeting cryptocurrency companies also entailed the deployment of a next-stage backdoor referred to as Gopuram that’s capable of running additional commands and interacting with the victim’s file system.

Mandiant’s investigation into the sequence of events has now revealed the patient zero to be a malicious version of a now-discontinued software provided by a fintech company called Trading Technologies, which was downloaded by a 3CX employee to their personal computer.

It described the initial intrusion vector as “a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER.”

This rogue installer, in turn, contained a setup binary that dropped two trojanized DLLs and an innocuous executable, the latter of which is used to side-load one of the DLLs that’s camouflaged as a legitimate dependency.

The attack chain then made use of open source tools like SIGFLIP and DAVESHELL to ultimately extract and execute VEILEDSIGNAL, a multi-stage modular backdoor written in C that’s capable of sending data, executing shellcode, and terminating…

Source…

3CX Supply Chain Attack: North Korean Hackers Likely Targeted Cryptocurrency Firms

/in


More information has come to light on the recent 3CX supply chain attack, which appears to have been conducted by North Korean hackers with the goal of targeting cryptocurrency companies.

Cybersecurity firm Kaspersky has conducted its own analysis of the incident and found links to attacks observed by the company back in 2020. 

Those attacks involved a backdoor dubbed Gopuram, which had been spotted on systems belonging to a Southeast Asian cryptocurrency firm. Gopuram was present at the time on compromised devices alongside AppleJeus, malware linked to North Korea’s Lazarus group.

Kaspersky has seen only few Gopuram infections since 2020, but there was a surge in March 2023 and an analysis revealed that the surge was a result of the 3CX supply chain attack. The hackers behind the 3CX attack likely delivered the Gopuram malware to victims that were deemed of interest.

According to Kaspersky, Gopuram was deployed on less than 10 devices as part of the 3CX attack, mainly belonging to cryptocurrency companies, which suggests that the operation was aimed at this sector. 

This would not be surprising considering that North Korean state-sponsored hackers have been known to steal significant amounts of cryptocurrency. UN experts said recently that last year they stole between $630 million and more than $1 billion worth of virtual assets. Cryptocurrency is used by Pyongyang to fund its national priorities and objectives, including cyber operations.

Kaspersky’s investigation further points to North Korean government-backed hackers being behind the 3CX attack, after companies such as CrowdStrike and Sophos also found links to the Lazarus group. 

3CX says its business communication products are used by 600,000 companies worldwide, including major brands. The malware distributed through 3CX may have been pushed to thousands of companies, but the hackers were not interested in all of these companies. Instead, based on Kaspersky’s data, they were looking for cryptocurrency companies to which they could deliver the full-fledged Gopuram backdoor, which the security firm believes is the main implant and the final payload in the attack chain.

Fortinet and BlackBerry previously reported

Source…

Europe, North America Most Impacted by 3CX Supply Chain Hack

/in


Organizations in Europe, North America and Australia seem to account for the highest percentage of victims of the supply chain hack that hit business communication company 3CX.

According to data collected by Fortinet, based on the number of devices connecting to attacker-controlled infrastructure, the highest percentage of victims is in Italy, followed by Germany, Austria, the United States, South Africa, Australia, Switzerland, the Netherlands, Canada and the United Kingdom. 

Looking at regional data, Europe is at the top of the chart with 60%, followed by North America with 16%. 

“This may indicate that the threat actor is mainly targeting enterprises in those regions – however, this is uncertain. This could be indicative of 3CX product’s geographic customer base – including the possibility of various multinational corporations operating inside those regions,” Fortinet noted. 

BlackBerry’s security researchers have also seen many apparent victims in Australia, the United States and the United Kingdom, across the healthcare, pharmaceutical, IT, and financial sectors. 

3CX’s VoIP software is used by more than 600,000 companies worldwide, including major consumer brands, airlines, carmakers and hotels. 

Security firm Huntress noted last week that there are more than 240,000 3CX phone system management consoles that are accessible from the internet, and the company saw over 2,700 instances of compromised binaries on customer systems. 

It was previously reported that the attackers likely had access to 3CX systems for months before the breach was detected. Based on BlackBerry’s own analysis, “the initial phase of this operation took place somewhere between the end of summer and the beginning of fall 2022.”

[ Read: 3CX Supply Chain Hack: Information and Tools for Defenders ]

It’s still unclear how the attackers gained access to 3CX systems, and whether they exploited any known or unknown vulnerability for initial access, but the new identifier CVE-2023-29059 has been assigned to the 3CXDesktopApp compromise. 

Bleeping Computer also reported that the attackers appear to have exploited CVE-2013-3900, a file signature-related vulnerability for which…

Source…

3CX CEO suggests state-sponsored hackers behind supply chain malware attack

/in


Business communications firm 3CX confirmed the downloader for its voice over IP (VoIP) desktop software has been tampered with and now installs a version that sideloads malware onto a victim’s computer

The issue, dubbed ‘SmoothOperator’, is believed to be a supply chain malware attack carried out by a suspected state-sponsored threat actor, with attacks starting last week, according to user reports.

3CX revealed in a blog post on Thursday that it noticed a “security issue” in its Electron Windows App with Update 7, version numbers 18.12.407 & 18.12.416.

It added that antivirus vendors may have flagged the legitimate 3CXDesktopApp.exe and uninstalled it.

3CX said it was still researching the issue, but believes it originated in one of the bundled libraries it compiled into the Windows Electron App via GIT. The domains contacted by the compromised library have already been reported, with most shut off overnight, said CISO Pierre Jourdan.

“A GitHub repository which listed them has also been shut down, effectively rendering it harmless,” he said.

“Worth mentioning – this appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state-sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware,” said Jourdan. “The vast majority of systems, although they had the files dormant, were in fact never infected.”

The company is currently working on a new Windows App that isn’t affected by the issue, and will also issue a new certificate for the app. Jourdan said this will take at least 24 hours.

He also encouraged customers to use its PWA app, which is completely web-based. “The advantage is that it does not require any installation or updating and chrome web security is applied automatically,” he said.

3CX CEO Nick Galea said in a company forum post that the issue was reported to the organisation on the evening of 29 March.

He recommended uninstalling the app and installing it again, and added that if customers are running Windows Defender it will uninstall it automatically. Galea said the company is going to analyse the issue and release a report later on Thursday, but is now only…

Source…