Security News

Enterprise communications service provider 3CX confirmed that the supply chain attack targeting its desktop application for Windows and macOS was the handiwork of a threat actor with North Korean nexus. It's worth noting that cybersecurity firm CrowdStrike has attributed the attack to a Lazarus sub-group dubbed Labyrinth Chollima, citing tactical overlaps.

VoIP communications company 3CX confirmed today that a North Korean hacking group was behind last month's supply chain attack. "Based on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far, they attribute the activity to a cluster named UNC4736. Mandiant assesses with high confidence that UNC4736 has a North Korean nexus," 3CX CISO Pierre Jourdan said today.

Researchers at Russian cybersecurity firm Kaspersky today revealed that they identified a small number of cryptocurrency-focused firms as at least some of the victims of the 3CX software supply-chain attack that's unfolded over the past week. Kaspersky declined to name any of those victim companies, but it notes that they're based in "Western Asia.".

The adversary behind the supply chain attack targeting 3CX deployed a second-stage implant specifically singling out a small number of cryptocurrency companies. The backdoor's links to North Korea stem from the fact that it "Co-existed on victim machines with AppleJeus, a backdoor attributed to the Korean-speaking threat actor Lazarus," detailing an attack on an unnamed crypto firm located in Southeast Asia in 2020.

Some of the victims affected by the 3CX supply chain attack have also had their systems backdoored with Gopuram malware, with the threat actors specifically targeting cryptocurrency companies with this additional malicious payload. VoIP communications company 3CX was compromised by North Korean threat actors tracked as Lazarus Group to infect the company's customers with trojanized versions of its Windows and macOS desktop apps in a large-scale supply chain attack. Kaspersky has discovered that the Gopuram backdoor previously used by the Lazarus hacking group against cryptocurrency companies since at least 2020, was also deployed as a second-stage payload in the same incident into the systems of a limited number of affected 3CX customers.

Five days have passed since the supply chain attack targeting 3CX customers gained wider public attention, but the software's manufacturer is yet to confirm how the Windows and macOS desktop apps have been compromised by the attackers. "On March 29th, 3CX received reports from a third party of a malicious actor exploiting a vulnerability in our product. We took immediate steps to investigate the incident, retaining Mandiant, leading global cybersecurity experts," 3CX CEO Nick Galea stated on Sunday.

The CEO of VoiP software provider 3CX said his team tested its products in response to recent alerts notifying it of a supply chain attack, but assessed reports of a malware infestation were a false positive. Nick Galea told The Register by email that 3CX did not ignore alerts but rather "Chose to double check our desktop app on VirusTotal and since it gave our app the all clear we considered the SentinelOne alert a false positive. It's not unusual for VoIP apps. We checked again a few days later and got the same result."

Microsoft unveils AI-powered Security Copilot analysis toolMicrosoft has unveiled Security Copilot, an AI-powered analysis tool that aims to simplify, augment and accelerate security operations professionals' work. Prioritizing data security amid workforce disruptionsIn this Help Net Security video, Chris Wey, President of Data Modernization at Rocket Software, discusses the risks organizations face and the steps they can take to mitigate disruption.

A 10-year-old Windows vulnerability is still being exploited in attacks to make it appear that executables are legitimately signed, with the fix from Microsoft still "Opt-in" after all these years. Even worse, the fix is removed after upgrading to Windows 11.

Enterprise communications software maker 3CX on Thursday confirmed that multiple versions of its desktop app for Windows and macOS are affected by a supply chain attack. In the interim, it's urging its customers of self-hosted and on-premise versions of the software to update to version 18.12.422.