Security News

The supply-chain attack against 3CX last month was caused by an earlier supply-chain compromise of a different software firm - Trading Technologies - according to Mandiant, whose consulting crew was hired by 3CX to help the VoIP biz investigate the intrusion. "This is the first time that we've ever found concrete evidence of a software supply chain attack leading to another software supply chain attack," Mandiant Consulting CTO Charles Carmakal told reporters on Wednesday.

An investigation into last month's 3CX supply chain attack discovered that it was caused by another supply chain compromise where suspected North Korean attackers breached the site of stock trading automation company Trading Technologies to push trojanized software builds. According to Mandiant, the cybersecurity firm that helped 3CX investigate the incident, the threat group used harvested credentials to move laterally through 3CX's network, eventually breaching both the Windows and macOS build environments.

Enterprise communications service provider 3CX confirmed that the supply chain attack targeting its desktop application for Windows and macOS was the handiwork of a threat actor with North Korean nexus. It's worth noting that cybersecurity firm CrowdStrike has attributed the attack to a Lazarus sub-group dubbed Labyrinth Chollima, citing tactical overlaps.

VoIP communications company 3CX confirmed today that a North Korean hacking group was behind last month's supply chain attack. "Based on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far, they attribute the activity to a cluster named UNC4736. Mandiant assesses with high confidence that UNC4736 has a North Korean nexus," 3CX CISO Pierre Jourdan said today.

According to Etay Maor, Senior Director Security Strategy at Cato Networks, "It's interesting to note critical infrastructure doesn't necessarily have to be power plants or electricity. A nation's monetary system or even a global monetary system can be and should be considered a critical infrastructure as well." Not to mention the infamous Colonial Pipeline attack, which has become the poster child of critical infrastructure attacks.

The adversary behind the supply chain attack targeting 3CX deployed a second-stage implant specifically singling out a small number of cryptocurrency companies. The backdoor's links to North Korea stem from the fact that it "Co-existed on victim machines with AppleJeus, a backdoor attributed to the Korean-speaking threat actor Lazarus," detailing an attack on an unnamed crypto firm located in Southeast Asia in 2020.

Some of the victims affected by the 3CX supply chain attack have also had their systems backdoored with Gopuram malware, with the threat actors specifically targeting cryptocurrency companies with this additional malicious payload. VoIP communications company 3CX was compromised by North Korean threat actors tracked as Lazarus Group to infect the company's customers with trojanized versions of its Windows and macOS desktop apps in a large-scale supply chain attack. Kaspersky has discovered that the Gopuram backdoor previously used by the Lazarus hacking group against cryptocurrency companies since at least 2020, was also deployed as a second-stage payload in the same incident into the systems of a limited number of affected 3CX customers.

Five days have passed since the supply chain attack targeting 3CX customers gained wider public attention, but the software's manufacturer is yet to confirm how the Windows and macOS desktop apps have been compromised by the attackers. "On March 29th, 3CX received reports from a third party of a malicious actor exploiting a vulnerability in our product. We took immediate steps to investigate the incident, retaining Mandiant, leading global cybersecurity experts," 3CX CEO Nick Galea stated on Sunday.

The CEO of VoiP software provider 3CX said his team tested its products in response to recent alerts notifying it of a supply chain attack, but assessed reports of a malware infestation were a false positive. Nick Galea told The Register by email that 3CX did not ignore alerts but rather "Chose to double check our desktop app on VirusTotal and since it gave our app the all clear we considered the SentinelOne alert a false positive. It's not unusual for VoIP apps. We checked again a few days later and got the same result."

Microsoft unveils AI-powered Security Copilot analysis toolMicrosoft has unveiled Security Copilot, an AI-powered analysis tool that aims to simplify, augment and accelerate security operations professionals' work. Prioritizing data security amid workforce disruptionsIn this Help Net Security video, Chris Wey, President of Data Modernization at Rocket Software, discusses the risks organizations face and the steps they can take to mitigate disruption.