Saturday , January 18 2025

3CX supply chain attack appears to have been conducted by North Korean hackers with the goal of targeting cryptocurrency firms.

More information has come to light on the recent 3CX supply chain attack, which appears to have been conducted by North Korean hackers with the goal of targeting cryptocurrency companies.

Cybersecurity firm Kaspersky has conducted its own analysis of the incident and found links to attacks observed by the company back in 2020.

AWS Patches Multiple Vulns in WorkSpaces, AppStream 2.0

Amazon Web Services (AWS) has recently fixed two major security vulnerabilities in its cloud services: Amazon WorkSpaces, Amazon AppStream 2.0,...
Read More
AWS Patches Multiple Vulns in WorkSpaces, AppStream 2.0

Malware Trends Review 2024: Ever Recorded Cyber Threats

Last year saw a significant rise in cyber threats, with malware becoming more advanced and attack strategies more sophisticated. A...
Read More
Malware Trends Review 2024: Ever Recorded Cyber Threats

Botnet Exploits 13,000 MikroTik Devices Abusing Misconfigured DNS

A recent Infoblox Threat Intel report reveals a sophisticated botnet that exploits DNS misconfigurations to spread malware widely. This botnet,...
Read More
Botnet Exploits 13,000 MikroTik Devices Abusing Misconfigured DNS

CVE-2024-9042
Code Execution Vulnerability Found in Kubernetes Windows Nodes

A new security flaw traced, CVE-2024-9042, poses a serious risk to Kubernetes clusters with Windows worker nodes. It has a...
Read More
CVE-2024-9042  Code Execution Vulnerability Found in Kubernetes Windows Nodes

Hacker leaked 15k config files and VPN passwords of FortiGate firewall device

The hacking group "Belsen Group" has posted over 15,000 unique FortiGate firewall configurations online. The data dump, reportedly obtained by exploiting...
Read More
Hacker leaked 15k config files and VPN passwords of FortiGate firewall device

Registration open for 1st Agile Cyber Drill 2025

Registration open for "1st Agile Cyber Drill-2025" scheduled for February 26, 2025 online with an awards ceremony for 9 March...
Read More
Registration open for 1st Agile Cyber Drill 2025

30 Days to Go for FutureCrime Summit 2025

The FutureCrime Summit 2025 is just 30 days away. This conference is the largest on technology-driven crime, covering topics like...
Read More
30 Days to Go for FutureCrime Summit 2025

Microsoft January 2025 Patch, 159 Vuls, 10 Critical RCE’s

Microsoft's January Patch Tuesday update fixed 159 vulnerabilities, including 10 critical Remote Code Execution (RCE) issues. These updates are essential...
Read More
Microsoft January 2025 Patch, 159 Vuls, 10 Critical RCE’s

CVE-2023-37936
Fortinet released update for a critical cryptographic key vuln

Fortinet released security patches for a critical vulnerability (CVE-2023-37936) involving a hard-coded cryptographic key. This flaw lets remote, unauthorized attackers...
Read More
CVE-2023-37936  Fortinet released update for a critical cryptographic key vuln

Millions of Accounts Vulnerable due to Google’s OAuth Flaw

A critical flaw in Google’s "Sign in with Google" system has put millions of Americans at risk of data theft....
Read More
Millions of Accounts Vulnerable due to Google’s OAuth Flaw

Those attacks involved a backdoor dubbed Gopuram, which had been spotted on systems belonging to a Southeast Asian cryptocurrency firm. Gopuram was present at the time on compromised devices alongside AppleJeus, malware linked to North Korea’s Lazarus group.

Kaspersky has seen only few Gopuram infections since 2020, but there was a surge in March 2023 and an analysis revealed that the surge was a result of the 3CX supply chain attack. The hackers behind the 3CX attack likely delivered the Gopuram malware to victims that were deemed of interest.

According to Kaspersky, Gopuram was deployed on less than 10 devices as part of the 3CX attack, mainly belonging to cryptocurrency companies, which suggests that the operation was aimed at this sector.

This would not be surprising considering that North Korean state-sponsored hackers have been known to steal significant amounts of cryptocurrency. UN experts said recently that last year they stole between $630 million and more than $1 billion worth of virtual assets. Cryptocurrency is used by Pyongyang to fund its national priorities and objectives, including cyber operations.

Kaspersky’s investigation further points to North Korean government-backed hackers being behind the 3CX attack, after companies such as CrowdStrike and Sophos also found links to the Lazarus group.

3CX says its business communication products are used by 600,000 companies worldwide, including major brands. The malware distributed through 3CX may have been pushed to thousands of companies, but the hackers were not interested in all of these companies. Instead, based on Kaspersky’s data, they were looking for cryptocurrency companies to which they could deliver the full-fledged Gopuram backdoor, which the security firm believes is the main implant and the final payload in the attack chain.

Fortinet and BlackBerry previously reported seeing many victims in Europe, North America and Australia. Kaspersky said it saw many infections in Brazil, Germany, Italy and France.

It’s unclear how the hackers gained initial access to 3CX systems, and whether they exploited any known or unknown vulnerability, but the identifier CVE-2023-29059 has been assigned to the 3CXDesktopApp compromise.

Once they gained access to the vendor’s systems — this is believed to have occurred sometime in the fall of 2022, or possibly the end of summer — the hackers apparently compromised 3CX’s development systems and abused them to deliver trojanized 3CXDesktopApp installers for Windows and macOS. These installers download additional payloads that collect information, including browser data, from the infected system.

The goal is likely to identify victims of interest to which additional payloads, such as the Gopuram malware, would be delivered.

It’s believed that the operation was detected in its initial stages, before it reached the magnitude of the SolarWinds incident.

3CX, whose initial response to the breach was criticized by many for being slow, is still investigating the attack, with the aid of Mandiant. The company has advised users to uninstall its desktop applications and instead rely on the PWA web client.

SecurityWeek has compiled a list of information and tools that can be useful to defenders. Also check out our additional coverage of the 3CX supply chain hack.

 

Check Also

LDAPNightmware

Fake LDAPNightmware exploit on GitHub spreads malware

A deceptive proof-of-concept exploit for CVE-2024-49113, known as “LDAPNightmare,” on GitHub spreads infostealer malware that …

Leave a Reply

Your email address will not be published. Required fields are marked *