North Korean Hackers Uncovered as Mastermind in 3CX Supply Chain Attack
12.4.23 Attack The Hacker News
Enterprise communications service provider 3CX confirmed that the supply chain attack targeting its desktop application for Windows and macOS was the handiwork of a threat actor with North Korean nexus.
The findings are the result of an interim assessment conducted by Google-owned Mandiant, whose services were enlisted after the intrusion came to light late last month. The threat intelligence and incident response unit is tracking the activity under its uncategorized moniker UNC4736.
It's worth noting that cybersecurity firm CrowdStrike has attributed the attack to a Lazarus sub-group dubbed Labyrinth Chollima, citing tactical overlaps.
The attack chain, based on analyses from multiple security vendors, entailed the use of DLL side-loading techniques to load an information stealer known as ICONIC Stealer, followed by a second-stage called Gopuram in selective attacks aimed at crypto companies.
Mandiant's forensic investigation has now revealed that the threat actors infected 3CX systems with a malware codenamed TAXHAUL that's designed to decrypt and load shellcode containing a "complex downloader" labeled COLDCAT.
"On Windows, the attacker used DLL side-loading to achieve persistence for TAXHAUL malware," 3CX said. "The persistence mechanism also ensures the attacker malware is loaded at system start-up, enabling the attacker to retain remote access to the infected system over the internet."
The company further said the malicious DLL (wlbsctrl.dll) was loaded by the Windows IKE and AuthIP IPsec Keying Modules (IKEEXT) service through svchost.exe, a legitimate system process.
macOS systems targeted in the attack are said to have been backdoored using another malware strain referred to as SIMPLESEA, a C-based malware that communicates via HTTP to run shell commands, transfer files, and update configurations.
The malware families detected within the 3CX environment have been observed to contact at least four command-and-control (C2) servers: azureonlinecloud[.]com, akamaicontainer[.]com, journalide[.]org, and msboxonline[.]com.
3CX CEO Nick Galea, in a forum post last week, said the company is only aware of a "handful of cases" where the malware was actually activated and that it's working to "strengthen our policies, practices, and technology to protect against future attacks." An updated app has since been made available to customers.
It's currently not determined how the threat actors managed to break into 3CX's network, and if it entailed the weaponization of a known or unknown vulnerability. The supply chain compromise is being tracked under the identifier CVE-2023-29059 (CVSS score: 7.8).