Mandiant Also Links 3CX Supply Chain Attack to North Korean Hackers

Business communication company 3CX on Tuesday confirmed previous reports that the recently disclosed supply chain attack was likely conducted by North Korean hackers.

Google-owned Mandiant is investigating the breach and 3CX has released some information from the security firm’s initial analysis. 

“Based on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far, they attribute the activity to a cluster named UNC4736. Mandiant assesses with high confidence that UNC4736 has a North Korean nexus,” 3CX said.

Mandiant found that the hackers targeted 3CX Windows systems with a piece of malware named Taxhaul (aka TxrLoader). Taxhaul uses DLL sideloading to achieve persistence and reduce the likelihood of detection. The malware is designed to deploy a downloader tracked by Mandiant as Coldcat. 

The macOS backdoor used in the attack, named Simplesea, allows attackers to execute shell commands, and transfer and execute files. This piece of malware is still being checked for links to known malware families. 

3CX has shared YARA rules and indicators of compromise (IoCs) that can be used to detect the malware and connections to the attacker’s infrastructure.  

Kaspersky and CrowdStrike previously reported finding links to North Korean state-sponsored threat actors, specifically to Lazarus or one of its subgroups. 

Kaspersky’s own data suggested that the 3CX attack was aimed at cryptocurrency companies, which would not be surprising considering that North Korean hackers have been known to steal large amounts of cryptocurrency, likely to fund Pyongyang’s objectives. 

The cybersecurity firm saw the deployment of a backdoor named Gopuram on less than 10 devices — mainly belonging to cryptocurrency companies — as part of the 3CX supply chain attack. However, 3CX pointed out that the Coldcat malware analyzed by Mandiant is different from Gopuram. 

3CX is still investigating the incident, but for the time being it appears that the attackers compromised its systems in an effort to push malware to the company’s customers. 3CX has 600,000 customers and the initial malware may have been pushed to many of them, but the more sophisticated secondary payload was only delivered to a small number of victims that presented an interest. 

The initial investigations conducted by several cybersecurity firms indicated that 3CX was likely breached sometime in the fall of 2022, but it’s believed that the operation was still in its initial stages when the intrusion was detected.

In addition to sharing more details about the attack, 3CX has described some of the steps it’s taking to improve the security of its applications.

SecurityWeek has compiled a list of information and tools that can be useful to defenders. Also check out our additional coverage of the 3CX supply chain hack.  

Related: Mandiant Catches Another North Korean Gov Hacker Group

Related: UN Experts: North Korean Hackers Stole Record Virtual Assets

Related: North Korean APT Expands Its Attack Repertoire