N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX

Cascading supply chain attack

The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors.

Mandiant, owned by Google, which follows the attack event under the nickname UNC4736said the incident is the first time an “attack on the software supply chain leads to another attack on the software supply chain.”

The Matryoshka-style cascading attack against 3CX first came to light on March 29, 2023, when it emerged that the Windows and macOS versions of its communication software were trojanized to deliver a miner of data based on C/C++ called ICONIC Stealer using a SUDDENICON, which used icon files hosted on GitHub to extract the server containing the steal.

“The malicious application attempts to steal sensitive information from the victim user’s web browser,” the US Cyber ​​and Infrastructure Security Agency (CISA) said in an analysis of the malware. “Specifically, it will target Chrome, Edge, Brave or Firefox browsers.”

Some attacks targeting cryptocurrency companies also involved the deployment of a next-stage backdoor called Gopuram that is capable of executing additional commands and interacting with the victim’s file system.

Mandiant’s investigation into the sequence of events has now revealed that patient zero is a malicious version of now-discontinued software provided by a fintech company called Trading Technologies, which a 3CX employee downloaded onto his personal computer.

He described the initial intrusion vector as “a software package with malware distributed through an earlier compromise of the software supply chain that began with a rigged installer for X_TRADER.”

This rogue installer, in turn, contained a configuration binary that dropped two trojanized DLLs and an innocuous executable, the latter of which is used to sideload one of the DLLs that has been disguised as a legitimate dependency .

The attack chain then made use of open source tools such as SIGFLIP and DAVESHELL to extract and execute VEILEDSIGNAL, a multi-stage modular backdoor written in C that is capable of sending data, executing shell code d orders and end.

The initial compromise of the employee’s PC with VEILEDSIGNAL allowed the threat actor to obtain the individual’s corporate credentials, two days after which the first unauthorized access to the employee’s network occurred. 3CX via a VPN leveraging stolen credentials.

Cascading attack on the supply chain at 3CX

In addition to identifying tactical similarities between the compromised applications X_TRADER and 3CXDesktopApp, Mandiant found that the threat actor subsequently moved laterally within the 3CX environment and breached Windows and macOS build environments.

“In the Windows build environment, the attacker deployed a TAXHAUL launcher and a COLDCAT unloader that persisted by sideloading DLLs via the IKEEXT service and ran with LocalSystem privileges,” Mandiant said. “The macOS build server was compromised with the POOLRAT backdoor using Launch Daemons as a persistence mechanism.”

POOLRAT, previously classified by threat intelligence firm SIMPLESEA, is a macOS C/C++ implant capable of gathering basic system information and executing arbitrary commands, including performing file operations.

UNC4736 is suspected to be a threat group with North Korean nexus, an assessment that has been strengthened by ESET’s discovery of an overlapping command and control (C2) domain (journalide).[.]org) used in the supply chain attack and in a Lazarus Group campaign called Operation Dream Job.

Evidence collected by Mandiant shows that the group shares commonalities with another set of intrusions tracked as Operation AppleJeus, which has a history of conducting attacks for financial reasons.


Learn how to stop ransomware with real-time protection

Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.

Save my seat!

Additionally, the breach of Trading Technologies’ website is said to have occurred in early February 2022 to trigger a multi-stage infection chain responsible for serving unknown payloads to site visitors by weaponizing a zero-day flaw in Google Chrome (CVE). -2022-0609).

“The site www.tradingtechnologies[.]how it was compromised and hosted a hidden IFRAME to exploit visitors, just two months before the site was known to be offering an X_TRADER trojan software package,” Mandiant explained.

Another link connecting it to AppleJeus is the threat actor’s previous use of an earlier version of POOLRAT as part of a long-running campaign that spreads trading apps with explosive cheats like CoinGoTrade to facilitate cryptocurrency theft.

The full scale of the campaign is unknown and it is currently unclear whether the compromised X_TRADER software was used by other companies. The platform was decommissioned in April 2020, but was still available for download from the site in 2022.

3CX, in an update shared on April 20, 2023, said it is taking steps to harden its systems and minimize the risk of malware attacks in the software supply chain by improving product security, incorporating tools to guarantee the integrity of its software and creation of a new Department of Network Operations and Security.

“The cascading software supply chain compromises demonstrate that North Korean operators can exploit network access in creative ways to develop and distribute malware, and move between target networks while conducting operations aligned with North Korea’s interests,” Mandiant said.

Did you find this article interesting? Follow us at Twitter and LinkedIn to read more exclusive content we publish.

Source link
Ikaroa, a leading full stack tech company, has been tracking a new sophisticated supply chain attack executed by the infamous N.K. Hackers Group. The attack, which employed a “matryoshka doll”-style cascading attack vector, successfully breached the cybersecurity protections of 3CX, a popular VoIP provider.

According to security researchers, the N.K. Hackers group is believed to be part of a North Korean cybercrime syndicate and it employed a sophisticated two-pronged attack. First, the hackers created a multi-layered series of malicious programs, cleverly disguised as normal software updates. The malicious payload was then unleashed upon 3CX, exploiting a previously-unknown system vulnerability and gaining access to the VoIP provider’s network.

Once the N.K. Hackers had obtained access, they created an intricate system of maliciously-crafted interwoven supply chains that transferred information, either collecting credentials or using the newly-gained control to build a backdoor into the system. The goal of the attack was to embed malicious ransomware within 3CX, allowing the hackers to take advantage of security flaws within the system.

While the attack was ultimately unsuccessful, ethical hacking experts are still working to uncover the full scope and extend of the N.K. Hackers attempt. Nevertheless, the attack serves as a stark reminder of the need for stringent and proactive security measures – especially when it comes to VoIP providers.

At Ikaroa, we believe that as a full stack tech company, it is our responsibility to keep our customers safe and secure. We are committed to helping our users stay vigilant against the evolving threats in cyber security. We will continue to monitor and analyze information arising from this security incident and take all necessary steps to ensure the safety of our systems and data.


Leave a Reply

Your email address will not be published. Required fields are marked *