Enterprise communications service provider 3CX has confirmed that a supply chain attack targeting desktop applications for Windows and macOS was carried out by a threat actor linked to North Korea.
The findings are the result of an interim evaluation conducted by Google-owned Mandiant, whose service was registered after the intrusion came to light late last month.Threat intelligence and incident response units track activity under unclassified names UNC4736.
It is worth noting that cybersecurity firm CrowdStrike believes this attack was carried out by a subgroup of Lazarus called Labyrinth Chollima, citing tactical overlap.
Based on analysis from multiple security vendors, the attack chain used DLL sideloading techniques to load an information stealer known as ICONIC Stealer, followed by a second stage called Gopuram in a selective attack targeting cryptocurrency companies. had to run.
Mandiant’s forensic investigation revealed that threat actors infected 3CX systems with malware codenamed TAXHAUL designed to decrypt and load shellcode containing a “complex downloader” labeled COLDCAT. became clear.
“On Windows, attackers used DLL sideloading to achieve persistence for the TAXHAUL malware,” said 3CX. The persistence mechanism also ensures that the attacker’s malware is loaded on system startup, allowing the attacker to maintain remote access over the Internet to the infected system. ”
The company further states that the malicious DLL (wlbsctrl.dll) was loaded by the Windows IKE and AuthIP IPsec Keying Modules (IKEEXT) service via a legitimate system process, svchost.exe.
The macOS systems targeted by the attack were backdoored using another malware strain called SIMPLESEA, a C-based malware that communicates over HTTP to execute shell commands, transfer files, and update configurations. is said to have been created.
Malware strains detected within the 3CX environment have been observed connecting to at least four command and control (C2) servers.[.]com, Akamai Container[.]com, journalide[.]organization, and msboxonline[.]com.
Learn How to Secure Your Identity Perimeter – A Proven Strategy
Improve your business security in our upcoming expert-led cybersecurity webinar: Exploring Identity Perimeter Strategies!
Don’t miss it – secure your seat!
3CX CEO Nick Galea said in a forum post last week that he was aware of “only a handful of cases” where the malware was actually activated, adding that “policies to protect against future attacks, We are working to strengthen our practices and technology.” .” The updated app was then provided to the customer.
It is currently unknown how the attackers got into 3CX’s network, or whether it involved weaponizing known or unknown vulnerabilities. The supply chain compromise is tracked under identifier CVE-2023-29059 (CVSS score: 7.8).
