
Executive Summary
In March 2023, a critical software supply chain compromise was discovered affecting the 3CX Desktop App, a prominent enterprise communication tool. This breach was part of a larger attack chain initiated by a prior compromise involving Trading Technologies' X_TRADER software. The attack was attributed to a North Korean threat actor group known as UNC4736, which has a history of targeting the cryptocurrency and fintech sectors. The compromised versions of the 3CX Desktop App included malicious code that facilitated the download of additional payloads, posing significant risks to users' data security.
Technical Information
The 3CX software supply chain compromise is a sophisticated attack that began with the tampering of the X_TRADER installer, which was available on the Trading Technologies website. This installer was used to deploy a modular backdoor named VEILEDSIGNAL. The trojanized version of 3CX’s software was then distributed via the 3CX website, containing a downloader known as SUDDENICON. This downloader connected to command and control (C2) servers to retrieve further payloads, including ICONICSTEALER, a data miner targeting browser information.
The attack leveraged DLL side-loading techniques and utilized tools such as SIGFLIP and DAVESHELL for payload decryption and execution. The VEILEDSIGNAL backdoor facilitated process injection and C2 communications, allowing the attackers to maintain persistence and exfiltrate sensitive data. The attack employed various MITRE ATT&CK techniques, including T1190 (Exploit Public-Facing Application), T1195 (Supply Chain Compromise), and T1574 (Hijack Execution Flow).
Exploitation in the Wild
The compromised 3CX software was actively exploited to steal sensitive information from users, with a particular focus on browser data. The attack demonstrated the potential for cascading supply chain compromises, where one compromised software leads to another, amplifying the impact and reach of the attack.
APT Groups using this vulnerability
The attack was orchestrated by UNC4736, a North Korean threat actor group known for its financially motivated cyber operations. This group has been linked to other North Korean clusters involved in targeting the cryptocurrency and fintech sectors, highlighting their strategic focus on financial gain through cybercrime.
Affected Product Versions
The affected software versions include 3CX DesktopApp version 18.12.416 and earlier. These versions contained the malicious code that facilitated the download of additional payloads, posing significant risks to users' data security.
Workaround and Mitigation
To mitigate the risks associated with this compromise, organizations are advised to implement detection rules provided by Mandiant, including YARA and Snort rules, to identify malicious activity related to this attack. Additionally, organizations should validate their security controls using Mandiant Security Validation actions to ensure resilience against similar threats. Regularly updating software and conducting thorough security audits can also help prevent such compromises.
References
The detailed analysis of this attack was conducted by Mandiant in collaboration with Google Threat Analysis Group (TAG) and Microsoft Threat Intelligence Center (MSTIC). The MITRE ATT&CK framework was used to map the techniques employed by the threat actors. For further details, please refer to the original publication on the Google Cloud Blog: 3CX Software Supply Chain Compromise.
Rescana is here for you
At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive threat detection and response capabilities, ensuring that your organization remains protected against sophisticated attacks like the 3CX software supply chain compromise. We are here to answer any questions you might have about this report or any other cybersecurity concerns. Please feel free to reach out to us at ops@rescana.com.
Comments