Decoding the Intricate North Korean Cyberattack on VoIP Provider 3CX: A Real-Life Cyberpunk Espionage

Supply-Chain Attack Origins:

In March 2023, 3CX revealed that their desktop applications for both Windows and macOS had been compromised, allowing attackers to download and run code on all machines where the app was installed. Incident response firm Mandiant was hired to investigate the breach, and their report showed that the compromise began in 2022 when a 3CX employee installed a malware-laced software package from an earlier software supply-chain compromise.

Nested Supply-Chain Attacks:

Mandiant’s report described this as the first instance of a software supply-chain attack leading to another. The attackers used the employee’s corporate credentials to infiltrate 3CX’s network through a VPN and subsequently compromise both the Windows and macOS build environments. This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,” reads the April 20 Mandiant report.

Attribution to North Korea’s Lazarus Group:

Mandiant, along with Kaspersky Lab and Elastic Security, attributed the attack to the North Korean state-sponsored hacking group known as Lazarus. The compromised 3CX software downloaded malware that sought instructions from encrypted icon files hosted on GitHub. This eventually led to the deployment of a password-stealing program called ICONICSTEALER.Mandiant concluded that the 3CX attack was orchestrated by the North Korean state-sponsored hacking group known as Lazarus, a determination that was independently reached earlier by researchers at Kaspersky Lab and Elastic Security.

LinkedIn and Fake Job Offers:

Security firm ESET published research highlighting the connection between the 3CX supply-chain attack and Linux-based malware deployed through fake job offers from phony executive profiles on LinkedIn. This marked the first time Lazarus had targeted Linux users. Bogus LinkedIn profiles have been used to lure targets into opening malware-laced documents disguised as job offers, with the ongoing North Korean espionage campaign first documented in 2020 by ClearSky Security.

Malware Disguised as Legitimate Software:

Microsoft detected social engineering campaigns using fake LinkedIn accounts to impersonate recruiters at technology, defense, and media companies. The attackers disguised their malware as legitimate open-source software like Sumatra PDF and the SSH client Putty. Microsoft attributed these attacks to North Korea’s Lazarus group, previously known as ZINC, now referred to as Diamond Sleet.

Linux Payload and the HSBC Job Offer:

ESET researchers discovered a new fake job lure linked to an ongoing Lazarus campaign on LinkedIn, targeting Linux operating systems. The malware was found in a document offering an employment contract at multinational bank HSBC. Opening the file would display a decoy PDF with a job offer, while in the background, the executable file would download additional malware payloads.

Expect More Victims:

Mandiant researchers anticipate that many more victims will be discovered among the customers of Trading Technologies and 3CX, now that news of the compromised software programs is public. It remains unclear whether the compromised X_Trader software was downloaded by people at other software firms.

Conclusion:

The sophisticated supply-chain attack on 3CX highlights the continually evolving landscape of cyber warfare. As threat actors become increasingly resourceful, businesses and individuals alike must prioritize cybersecurity, remain vigilant, and consistently update their defenses to stay one step ahead of malicious actors.