"North Korean Hacker Suspected in 3CX Software Supply Chain Attack"

The 3CX Desktop App software has been reportedly compromised via a prior software supply chain breach, with a North Korean actor suspected to be responsible.  Security researchers at Mandiant stated the initial compromise was traced back to malware from financial software firm Trading Technologies’ website.  The researchers noted that the first attack saw hackers place a backdoor into an application available on the website known as X_Trader 1.  That infected app, later installed on the computer of a 3CX employee, allowed the hackers to spread their access through 3CX’s network.  Mandiant said this would be the first observed instance of one software supply chain attack leading to another.  The researchers noted that in late March 2023, a software supply chain compromise spread malware via a trojanized version of 3CX’s legitimate software that was available to download from their website.  The researchers stated that the attack shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions, as demonstrated in this investigation.  The security experts said the affected versions of 3CX were DesktopApp 18.12.416 and earlier, which contained malicious code.  The code ran a downloader, Suddenicon, which in turn received additional command and control (C2) servers from encrypted icon files hosted on GitHub.  The decrypted C2 server was then used to download a third-stage payload called Iconicstealer, a data miner that steals browser information.  Mandiant said the researchers are currently tracking this malicious activity as UNC4736, a suspected North Korean nexus cluster of activity.

Infosecurity reports: "North Korean Hacker Suspected in 3CX Software Supply Chain Attack"