3CX & Customers Supply Chain Attack by North Korea
April 24th, 2023 |
3CX, a business communication company, suffered a devastating supply chain attack that compromised its build environments. This attack compromised the company’s Windows and macOS build environments, allowing the attackers to push trojan software to 3CX’s customers.
An investigation found that hackers had breached 3CX’s systems after an employee downloaded a trojanized installer for the X_Trader trading software from Trading Technologies.
The trojanized installer delivered malware named VeiledSignal, which gave the attackers administrator-level access to the employee’s device. This allowed the attackers to obtain corporate credentials belonging to the employee, which allowed them to access 3CX’s broader systems.
Once inside, the attackers harvested credentials, moved laterally, and deployed other malware to compromise the Windows and macOS build environments which enabled them to then push malware to 3CX customers. Another malware family involved in the attack, IconicStealer, allowed the hackers to steal information such as browser data.
Investigators found that the threat group behind the attack was UNC4736, a North Korean group linked to the financially-focused operation dubbed AppleJeus. This group is known for targeting cryptocurrency firms most likely to fund the North Korean nuclear program.
The hacking group also breached two critical infrastructure organizations in the energy sector and two financial trading organizations using the trojanized X_TRADER application. Among the two affected critical infrastructure organizations, one is in the US and the other in Europe.
Acreto Solution
Acreto addresses third-party / supply chain risk with the following capabilities.
Ecosystems
Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.
Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.
Ecosystems can be configured as:
Open → With inbound or outbound access from or to the Internet or a third-party
Closed → Fully contained with access limited to Ecosystem members
Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.
Eliminate the Internet Attack Surface
Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.
Eliminate the Internal Attack Surface
Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with
Micro-Segmentation
Segmenting groups of systems on any shared network, including hostile networks or the entire network.
Nano-Segmentation
Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.
Isolated Data Flows
Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.
Encrypted Secure Scan
Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.
Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.
Controls
Access Control
Identity with MFA
User
Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.
Device
Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.
Network Protocol / Port
Control the network protocol (TCP, UDP, ICMP) and Port (1-65535) any Ecosystem member can use to communicate with any other Ecosystem member or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Protocol
Control the application protocol (HTTP, DNS, SMTP, SMB, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Program
Control the application program (MS-Exchange, Oracle, Facebook, GMail, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Content Control
Content Categorization
Control communication based on content categories such as Adult, Gambling, Politics, Malware sites among 90+ category options.
File Type Upload / Download Controls
Control upload / download of files by type such .EXE, PDF, XLS, DOC, SCR, and MSI among hundreds of options.
Data Leak Prevention
Prevent data leaks by identifying and mitigating the upload or download of sensitive data such as:
. Credit Cards Upload / Download Controls
. Social Security Number Upload / Download Controls
. RegEx Pattern Upload / Download Controls
Threat Prevention
After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:
Threat Signature
Identifies and mitigates known bad exploits, malware, botnets and ransomware.
Zero-Day Behavioral Analysis
Looks for behavioral indications of threats based on how the system functions react to the payload, immediately and over time.
Technical Data
- Other malware families involved in the attack are TaxHaul, ColdCat, PoolRat, and IconicStealer.
- The hackers gained access to 3CX’s network after an employee installed a trojanized trading platform called X_TRADER on their personal computers in 2022.
- The trojanized version of X_TRADER was digitally signed with a certificate belonging to Trading Technologies and set to expire in October 2022.
- The VEILEDSIGNAL backdoor provided the attackers with administrator-level access to the 3CX employee’s computer and allowed them to steal his corporate credentials.
- Two days after the compromise, they used those credentials to connect to the company’s network via VPN and began harvesting other credentials and moving laterally through the network.
- During this process, they deployed an open-source tool called the Fast Reverse Proxy (FRP) to maintain continued access within the network.
- The attackers were eventually able to compromise both the Windows and macOS build environments.
- On the Windows build environment, the attacker deployed a TAXHAUL launcher and COLDCAT downloader that persisted by performing DLL side-loading through the IKEEXT service and ran with LocalSystem privileges.
- The macOS build server was compromised with POOLRAT backdoor using Launch Daemons as a persistence mechanism.
About Acreto
Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.