Investigations have uncovered North Korean hackers as the masterminds behind the 3CX Supply Chain Attack.

3CX, an enterprise communications service provider, has confirmed that the supply chain attack targeting its desktop application for Windows and macOS was the work of a threat actor with a North Korean nexus. This conclusion was reached following an interim assessment conducted by Google-owned Mandiant, who were enlisted after the intrusion came to light late last month. The threat intelligence and incident response unit is tracking the activity under the moniker UNC4736.

CrowdStrike has linked the attack to a Lazarus sub-group known as Labyrinth Chollima, citing tactical overlaps. The cybersecurity firm informed The Hacker News that the latest findings appear to be consistent with their previous attribution.

Security vendors have identified the attack chain as involving the use of DLL side-loading techniques to load an information stealer known as ICONIC Stealer, followed by a second-stage called Gopuram in selective attacks aimed at crypto companies.

Mandiant’s forensic investigation has now revealed that the threat actors have infected 3CX systems with a malware codenamed TAXHAUL, which is designed to decrypt and load shellcode containing a “complex downloader” labeled COLDCAT. Furthermore, on Windows, the attacker utilized DLL side-loading to achieve persistence for TAXHAUL malware, with the persistence mechanism ensuring the attacker malware is loaded at system start-up, enabling the attacker to retain remote access to the infected system over the internet. Additionally, the malicious DLL (wlbsctrl.dll) was loaded by the Windows IKE and AuthIP IPsec Keying Modules (IKEEXT) service through svchost.exe, a legitimate system process. For the macOS systems targeted in the attack, they are said to have been backdoored using another malware strain referred to as SIMPLESEA, a C-based malware that communicates via HTTP to run shell commands, transfer files, and update configurations. In addition, the malware families detected within the 3CX environment have been observed to contact at least four command-and-control (C2) servers: azureonlinecloud[.]com, akamaicontainer[.]com, journalide[.]org, and msboxonline[.]com.

Last week, 3CX CEO Nick Galea stated in a forum post that the company is only cognizant of a “limited number of cases” in which the malware was activated, and that they are endeavoring to “bolster their policies, practices, and technology to guard against prospective attacks.” Subsequently, an updated application has been made available to customers.

It is yet to be determined how the perpetrators were able to breach 3CX’s network, and if it entailed the utilization of an identified or unidentified vulnerability. The supply chain compromise is being monitored under the identifier CVE-2023-29059 (CVSS score: 7.8).

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir