Security
Headlines
HeadlinesLatestCVEs

Headline

Cryptocurrency Companies Targeted in Sophisticated 3CX Supply Chain Attack

The adversary behind the supply chain attack targeting 3CX deployed a second-stage implant specifically singling out a small number of cryptocurrency companies. Russian cybersecurity firm Kaspersky, which has been internally tracking the versatile backdoor under the name Gopuram since 2020, said it observed an increase in the number of infections in March 2023 coinciding with the 3CX breach.

The Hacker News
#vulnerability#web#mac#windows#apple#microsoft#git#backdoor#perl#The Hacker News

Cryptocurrency / Cyber Attack

The adversary behind the supply chain attack targeting 3CX deployed a second-stage implant specifically singling out a small number of cryptocurrency companies.

Russian cybersecurity firm Kaspersky, which has been internally tracking the versatile backdoor under the name Gopuram since 2020, said it observed an increase in the number of infections in March 2023 coinciding with the 3CX breach.

Gopuram’s primary function is to connect to a command-and-control (C2) server and await further instructions that allow the attackers to interact with the victim’s file system, create processes, and launch as many as eight in-memory modules.

The backdoor’s links to North Korea stem from the fact that it “co-existed on victim machines with AppleJeus, a backdoor attributed to the Korean-speaking threat actor Lazarus,” detailing an attack on an unnamed crypto firm located in Southeast Asia in 2020.

The targeting of cryptocurrency companies is another telltale sign of the Lazarus Group’s involvement, given the threat actor’s recurring focus on the financial industry to generate illicit profits for the sanctions-hit nation.

Kaspersky further said it identified a C2 overlap with a server (“wirexpro[.]com”) that was previously identified as employed in an AppleJeus campaign documented by Malwarebytes in December 2022.

“As the Gopuram backdoor has been deployed to less than ten infected machines, it indicates that attackers used Gopuram with surgical precision,” the company pointed out, adding the highest infection rates have been detected in Brazil, Germany, Italy, and France.

While the attack chain discovered so far entails the use of rogue installers to distribute an information stealer (known as ICONIC Stealer), the latest findings suggest that the ultimate goal of the campaign may have been to infect targets with the full-fledged modular backdoor.

That said, it’s not known how successful the campaign has been, and if it has led to the actual theft of sensitive data or cryptocurrency. It, however, raises the possibility that ICONIC Stealer was used as a reconnaissance utility to cast a wide net and identify targets of interest for follow-on exploitation.

The development comes as BlackBerry revealed that “the initial phase of this operation took place somewhere between the end of summer and the beginning of fall 2022.”

A majority of the attack attempts, per the Canadian company, have been registered in Australia, the U.S., and the U.K., with healthcare, pharma, IT, and finance emerging as the top targeted sectors.

It’s currently unclear how the threat actor obtained initial access to the 3CX network, and if it entailed the exploitation of a known or unknown vulnerability. The compromise is being tracked under the identifier CVE-2023-29059.

THN WEBINAR

Become an Incident Response Pro!

Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet’s IR Leader!

Don’t Miss Out – Save Your Seat!

Evidence collected to date indicates that the attackers poisoned 3CX’s development environment and delivered trojanized versions of the legitimate app to the company’s downstream customers in a SolarWinds or Kaseya-like supply chain attack.

One of the malicious components responsible for retrieving the info-stealer, a library named “d3dcompiler_47.dll,” has also been spotted weaponizing a 10-year-old Windows flaw (CVE-2013-3900) to incorporate encrypted shellcode without invalidating its Microsoft-issued signature.

A point worth noting here is that the same technique was adopted by a ZLoader malware campaign unearthed by Israeli cybersecurity firm Check Point Research in January 2022.

Multiple versions of the desktop app – 18.12.407 and 18.12.416 for Windows and 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 for macOS – have been impacted. 3CX has since pinned the attack on a “highly experienced and knowledgeable hacker.”

CrowdStrike has tied the incident to a North Korea-aligned nation-state group it tracks under the moniker Labyrinth Chollima, a sub-cluster within the Lazarus Group.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Urgent: Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit

It's the second Tuesday of the month, and Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild. Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20

Lazarus Sub-Group Labyrinth Chollima Uncovered as Mastermind in 3CX Supply Chain Attack

Enterprise communications service provider 3CX confirmed that the supply chain attack targeting its desktop application for Windows and macOS was the handiwork of a threat actor with North Korean nexus. The findings are the result of an interim assessment conducted by Google-owned Mandiant, whose services were enlisted after the intrusion came to light late last month. The threat intelligence

Microsoft Patches 97 CVEs, Including Zero-Day & Wormable Bugs

The April 2023 Patch Tuesday security update also included a reissue of a fix for a 10-year-old bug that a threat actor recently exploited in the supply chain attack on 3CX.

3CX Breach Widens as Cyberattackers Drop Second-Stage Backdoor

"Gopuram" is a backdoor that North Korea's Lazarus Group has used in some campaigns dating back to 2020, some researchers say.

CVE-2023-29059: CWE-506: Embedded Malicious Code (4.10)

3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the Electron macOS application.

CVE-2013-3900: Archived MSDN and TechNet Blogs

The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly validate PE file digests during Authenticode signature verification, which allows remote attackers to execute arbitrary code via a crafted PE file, aka "WinVerifyTrust Signature Validation Vulnerability."