Security News > 2023 > April > N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors.
Google-owned Mandiant, which is tracking the attack event under the moniker UNC4736, said the incident marks the first time it has seen a "Software supply chain attack lead to another software supply chain attack."
The Matryoshka doll-style cascading attack against 3CX first came to light on March 29, 2023, when it emerged that Windows and macOS versions of its communication software were trojanized to deliver a C/C++-based data miner named ICONIC Stealer by means of a downloader, SUDDENICON, that used icon files hosted on GitHub to extract the server containing the stealer.
The attack chain then made use of open source tools like SIGFLIP and DAVESHELL to ultimately extract and execute VEILEDSIGNAL, a multi-stage modular backdoor written in C that's capable of sending data, executing shellcode, and terminating itself.
UNC4736 is suspected to be a threat group with North Korean nexus, an assessment that's been reinforced by ESET's discovery of an overlapping command-and-control domain employed in the supply chain attack and that of a Lazarus Group campaign called Operation Dream Job.
3CX, in an update shared on April 20, 2023, said it's taking steps to harden its systems and minimize the risk of nested software-in-software supply chain attacks by enhancing product security, incorporating tools to ensure the integrity of its software, and establishing a new department for Network Operations and Security.
News URL
https://thehackernews.com/2023/04/nk-hackers-employ-matryoshka-doll-style.html
Related news
- Chinese State Hackers Target Tibetans with Supply Chain, Watering Hole Attacks (source)
- Hackers Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others (source)
- Hackers steal Windows NTLM authentication hashes in phishing attacks (source)
- Hackers impersonate U.S. government agencies in BEC attacks (source)
- Hackers Exploiting Popular Document Publishing Sites for Phishing Attacks (source)
- US sanctions APT31 hackers behind critical infrastructure attacks (source)
- Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack (source)
- XZ Utils Supply Chain Attack: A Threat Actor Spent Two Years to Implement a Linux Backdoor (source)
- Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack (source)
- TA558 Hackers Weaponize Images for Wide-Scale Malware Attacks (source)