The 3CX desktop app software was reportedly compromised in a previous software supply chain breach, allegedly involving North Korean actors.
According to Mandiant security researchers, the initial breach was traced to malware from the website of financial software company Trading Technologies.
In the first attack, hackers placed a backdoor in an application available on a website known as X_Trader 1. This infected app was later installed on his 3CX employee’s computer, allowing the hacker to spread access through his 3CX network.
Mandiant said in an advisory released today that this is the first observed instance of one software supply chain attack leading to another.
“In late March 2023, a software supply chain breach spread malware via a trojanized version of 3CX’s legitimate software available for download from its website,” Jeff Johnson of Mandiant, Fred Plan, Adrian Sanchez, Renato Fontana, Jake Nicastro and Dimiter Andonov write. and Marius Fodoreanu.
“[The attack] It illustrates the potential reach of this type of compromise, especially when threat actors are able to chain intrusions, as shown in this research. ”
According to security experts, the affected versions of 3CX were DesktopApp 18.12.416 and earlier, which contained malicious code.
Read more about malware targeting 3CX: North Korean hackers use trojanized 3CX DesktopApp in supply chain attack
“[The code] Running the downloader, Suddenicon, received an additional command and control (C2) server from an encrypted icon file hosted on GitHub.
The decrypted C2 server was then used to download a third stage payload called Iconicstealer, a data miner that steals browser information.
Mandiant said the team is currently tracking this malicious activity as UNC4736. This is a cluster of suspected North Korea-related activities.
“UNC4736 demonstrates varying degrees of overlap with multiple North Korean operators tracked by Mandiant Intelligence, particularly those involved in financially motivated cybercriminal activities,” the company said. written in the report.
“These clusters demonstrate a long-term focus on cryptocurrencies and fintech-related services.”
Mandiant’s recommendations come months after the UK’s National Cyber Security Center (NCSC) released recommendations to help medium and large enterprises map their supply chain dependencies.
