Security News > 2023 > April > North Korean Hackers Uncovered as Mastermind in 3CX Supply Chain Attack
Enterprise communications service provider 3CX confirmed that the supply chain attack targeting its desktop application for Windows and macOS was the handiwork of a threat actor with North Korean nexus.
It's worth noting that cybersecurity firm CrowdStrike has attributed the attack to a Lazarus sub-group dubbed Labyrinth Chollima, citing tactical overlaps.
The attack chain, based on analyses from multiple security vendors, entailed the use of DLL side-loading techniques to load an information stealer known as ICONIC Stealer, followed by a second-stage called Gopuram in selective attacks aimed at crypto companies.
Mandiant's forensic investigation has now revealed that the threat actors infected 3CX systems with a malware codenamed TAXHAUL that's designed to decrypt and load shellcode containing a "Complex downloader" labeled COLDCAT. "On Windows, the attacker used DLL side-loading to achieve persistence for TAXHAUL malware," 3CX said.
MacOS systems targeted in the attack are said to have been backdoored using another malware strain referred to as SIMPLESEA, a C-based malware that communicates via HTTP to run shell commands, transfer files, and update configurations.
3CX CEO Nick Galea, in a forum post last week, said the company is only aware of a "Handful of cases" where the malware was actually activated and that it's working to "Strengthen our policies, practices, and technology to protect against future attacks." An updated app has since been made available to customers.
News URL
https://thehackernews.com/2023/04/lazarus-sub-group-labyrinth-chollima.html
Related news
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- 390,000 WordPress accounts stolen from hackers in supply chain attack (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- OpenWrt orders router firmware updates after supply chain attack scare (source)
- Update your OpenWrt router! Security issue made supply chain attack possible (source)
- Radiant links $50 million crypto heist to North Korean hackers (source)
- Ultralytics Supply-Chain Attack (source)
- Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks (source)
- Russian hackers use RDP proxies to steal data in MiTM attacks (source)