VoIP communications company 3CX today confirmed that a North Korean hacking group was behind last month’s supply chain attack.
“Based on Mandiant’s investigation of the 3CX intrusion and supply chain attack so far, they attribute the activity to a cluster named UNC4736. Mandiant assesses with high confidence that the ‘UNC4736 has a connection to North Korea,’ 3CX CISO Pierre Jourdan said today.
The attackers infected 3CX systems with malware known as Taxhaul (or TxRLoader), which deployed a second-tier malware downloader named Coldcat by Mandiant.
The malware has achieved persistence on compromised systems through sideloading DLLs through legitimate Microsoft Windows binaries, which makes it harder to detect.
Additionally, it automatically loaded during system startup on all infected devices, granting attackers remote access via the Internet.
“On Windows, the attacker used DLL sideloading to persist the TAXHAUL malware. The DLL was loaded by the legitimate Windows service IKEEXT via the legitimate Windows binary svchost.exe,” Jourdan said. said.
The macOS systems targeted by the attack were also hacked with malware named Simplesea which Mandiant is still analyzing to determine if it overlaps with previously known malware families.
“Supported backdoor commands include executing shell commands, transferring files, executing files, managing files, and updating configuration. It can also be tasked with testing connectivity a provided IP address and port number,” Jourdan added.
Malware deployed by UNC4736 on 3CX’s network connected to multiple command and control (C2) servers under attackers’ control, including azureonlinecloud[.]com, akamaicontainer[.]com, journalide[.]org and msboxonline[.]com.
3CX has yet to disclose how the supply chain attack was carried out in the first place, whether its development environment was compromised or by some other method.
Since the attack was first revealed, Kaspersky has also discovered that a backdoor known as Gopuram, which has been used by the North Korean-backed Lazarus hacking group against cryptocurrency companies since at least 2020, was also dropped as a second stage payload in the same incident on compromised devices of a limited number of 3CX customers.
3CX confirmed for the first time that its 3CXDesktopApp Electron-based desktop client was compromised in a supply chain attack to deploy malware a day later news of the attack surfaced on March 29 and more than a week after customers began reporting the software was flagged as malicious by security solutions from SentinelOne, CrowdStrike, ESET, Palo Alto Networks and SonicWall.
The company advised clients to uninstall the impacted Electron desktop client from all Windows and macOS devices (a bulk uninstall script is available here) and immediately switch to the Progressive Client Web App (PWA) offering similar functionality.
After the incident (follow up as CVE-2023-29059) was leaked, BleepingComputer also reported threat actors exploited a 10-year-old Windows vulnerability (CVE-2013-3900) to camouflage malicious DLLs grouping payloads as legitimately signed.
3CX claims that its 3CX Phone System is used by more than 600,000 businesses worldwide and more than 12 million users daily, with the customer list including leading companies and organizations like American Express, Coca-Cola, McDonald’s, Air France, IKEA, UK’s National Health Service and several car manufacturers.