Executive Summary

In March 2023, threat actors compromised the desktop application of 3CX, a popular Voice Over Internet Protocol (VoIP) phone system software provider, in a supply chain attack. The threat actors gained access to 3CX’s build server and injected a malicious backdoor into the application’s setup package. The threat actors were then able to steal data and execute commands on infected devices.

The chaos didn’t stop there. After the initial compromise, Mandiant investigated the 3CX supply chain attack and found that the North Korean cluster UNC4736 was involved. Also, Kaspersky found that the North Korean APT, Lazarus, deployed a backdoor named Gopuram onto the devices of some 3CX customers, as a second-stage payload during the same incident. Gopuram has been known to be used by the North Korean threat actor Lazarus to target cryptocurrency companies since 2020. After much speculation, security researchers were finally able to attribute Lazarus to the 3CX attack.

What makes the breach even more interesting is at the same time, researchers were connecting the dots to a different security issue involving Lazarus and LinkedIn users. ESET researchers discovered a new campaign by Lazarus targeting Linux users. The campaign involved sending a fake job offer from HSBC to lure users into downloading malware. The malware is a Linux backdoor called SimplexTea, and it was distributed through a cloud storage account. This was the first time the group was seen using Linux malware in its operations, and it was very similar to the malware used in the 3CX supply-chain attack. Let’s look at the 3CX attack and how professional social media platforms such as LinkedIn can become gateways for security breaches.

 

tir snapshot

  • The 3CX Phone System is used globally by more than 600,000 companies and has over 12 million daily users.
  • The company provides its clients with software that can be accessed through a web browser, a mobile application, or a desktop program.
  • In March 2023, 3CX was the victim of a supply chain attack where threat actors compromised the company and used its software to distribute additional malware to some 3CX customers. 
  • By April 2023, it was reported that the 3CX attack was caused by another supply chain compromise, making it a double supply chain attack. Later, researchers attributed the attacks to Lazarus.
  • Operation DreamJob is the name of the campaign series that Lazarus has been deploying since 2020. The campaign uses fake job offers on LinkedIn and sends them to targets.
  • On March 20, 2023, someone in Georgia uploaded a ZIP archive titled 'HSBC job offer.pdf.zip' to Virus Total. Based on previous Operation DreamJob campaigns, the payload was likely disseminated through spear-phishing or direct messaging on LinkedIn.
  • Be mindful of professional social media sites; threat actors gather information from those sites for their own benefit.

 

 

lazARUS, 3CX, AND LINKEDIN

The 3CX Phone System is used globally by more than 600,000 companies and has over 12 million daily users. The company provides its clients with software that can be accessed through a web browser, a mobile application, or a desktop program. In March 2023, it was reported that 3CX was the victim of a supply chain attack where threat actors compromised the company and used its software to distribute additional malware to some 3CX customers.

According to Mandiant, initial access to the 3CX network was obtained via a backdoor (labeled VEILEDSIGNAL) injected into the corrupted X_TRADER (owned by Trading Technologies) application, which allowed the threat actor to gain access to an employee's computer and steal their credentials. From there, the threat actors used the credentials to gain access to 3CX's network, spread laterally, and compromise Windows and macOS build systems to inject malicious code.

Volexity’s analysts were one of the first to investigate the attack, and they created a tool to identify a list of C2 servers from encrypted icons on GitHub. The tool was helpful because the threat actors didn’t embed the C2 servers directly in the intermediate states but instead used GitHub to secretly exchange information. On December 7, 2022, the initial commit was made to the GitHub page, containing an ICO file with an encrypted 3cx[.]com URL. This indicates that the threat actors might have started testing the backdoor around that time.

 

APRIL 2023

By April 2023, it was reported that the 3CX attack was caused by another supply chain compromise, making it a double supply chain attack. It was suspected that North Korean attackers breached the site of Trading Technologies, a stock trading automation company, and pushed Trojanized software builds. They accomplished this by using corporate login credentials on an employee’s device.

As a result, they were able to move laterally through the 3CX network and compromise their Windows and macOS build environments. Also, after the initial breach, Mandiant was retained to provide incident response to 3CX. The tech company stated that, according to earlier reports, the macOS build server was allegedly infiltrated using SIMPLESEA. However, after analysis by Mandiant Intelligence, it was determined to be the pre-existing backdoor POOLRAT rather than a new malware family.

According to ESET researchers, Lazarus had been planning the attack as early as December 2022, well before its execution. The development suggests that the threat actors had already established a foothold within the company’s network late last year. A few days before the attack was made known to the public, a suspicious Linux downloader was submitted to VirusTotal that downloaded a new Linux-based backdoor known as SimplexTea. The backdoor communicates with the same command and control (C2) server utilized by the payloads linked to the 3CX compromise.

 

OPERATION DREAMJOB

Operation DreamJob is the name of the campaign series that Lazarus has been deploying since 2020. The campaign was named by the researchers at ClearSky and employs social engineering techniques to compromise targets, using fake job offers as bait. Operation DreamJob is a cyberespionage campaign targeting defense and aerospace companies. According to ESET, the campaign shares similarities with what is known as "Operation In(ter)ception", a series of cyber espionage attacks that have continued since September 2019. Targets include aerospace, military, and defense companies, and it uses specific malicious tools initially designed for Windows only.

In July and August 2022, ESET identified two occurrences of Operation In(ter)ception targeting macOS. One malware instance was submitted to VirusTotal from Brazil, and another attack targeted an ESET user in Argentina. Recently, a native Linux payload with an HSBC-themed PDF lure was found on VirusTotal, completing Lazarus’s ability to target all major desktop operating systems.

On March 20, 2023, someone in Georgia uploaded a ZIP archive titled “HSBC job offer.pdf.zip” to Virus Total. Based on previous Operation DreamJob campaigns, the payload was likely disseminated through spearphishing or direct messaging on LinkedIn. The archive has only one file: a Go-written native 64-bit Intel Linux binary named “HSBC job offer.pdf.” The backdoor, coded in C++, has similarities with BADCALL, a Windows-based Trojan that Lazarus has been linked to previously.

 

Image 1: Timeline of Events

Timeline of Events

Source: ESET

 

ESET reported detecting similarities between artifacts used in the Operation Dream Job campaign and those found during the 3CX supply chain attack, including the C2 domain “journalide[.]org," which was named as one of the four C2 servers exploited by malware families detected within the 3CX environment. Also, ESET’s research shows that SimplexTea likely corresponds to the SIMPLESEA macOS malware seen in the 3CX breach. SimplexTea is a part of Operation DreamJob, Lazarus’s flagship campaign, that uses fake job offers to lure victims.

As for the double supply-chain attack, Mandiant was asked by 3CX to provide incident response. The tech company stated that this was the first time they have seen a software supply chain attack result in a sequential software supply chain attack. This highlights the potential impact that such breaches can have when an attacker is able to chain intrusions. While the motive for the attack has not been shared, it is speculated that the threat actor’s goal was to deploy information-stealing malware, as Lazarus is a nation-state threat actor.

 

 

the issues with professional social networks

When it comes to using professional social media networks, there is a certain level of awareness that people need to have. Although professional social media networks are for connection and communication, there are malicious actors who gather information from those networks and use it to their benefit. Any detail you post on your social media accounts is a possible source of data that threat actors can use to build a comprehensive profile of you.

If you are the target of an attack, it is possible that a threat actor could use the publicly available information across your social accounts to their advantage. Therefore, it is important to be aware that even small pieces of data could be dangerous, including your job history, career path, work industry, education history, and connections to other people. In Lazarus’s case, the aforementioned was all they needed to lure their targets on LinkedIn.

After an attacker collects the data they need, it’s only a matter of time before they try to impersonate a brand, write malware, and specifically target a business or gain access to account credentials. Social media is now a vital business tool, but it's also a potential security risk. Attackers are finding more creative ways to use social media to target employees and gain access to sensitive information. Organizations need to establish a clear policy and be vigilant in monitoring and enforcing it to protect themselves from attacks.

 

 

MITRE MAP

Lazarus MITRE Map

 

 

avertium's recommendations

When a threat actor hacks into a software supply chain, it's hard for network defenders to fix it quickly. This is because the organizations don't always control the entire software supply chain, so they can't force everyone to fix the problem right away.

It’s better to follow software-supply chain best practices before an attack happens, rather than trying to fix it later. By following these best practices, organizations can make it harder for threat actors to infiltrate their network and be better prepared to respond to attacks. CISA recommends the following:

  • [1]Organizations acquiring software should consider its use, as with other ICT products and services, in the context of a risk management program. Such a program should use an operationalized systems security engineering framework and a formal C-SCRM Risk Management Program approach across organization, mission/business, and system tiers. A mature risk management program enables an organization to understand risks presented by ICT products and services, including software, in the context of the mission or business processes they support. Organizations can manage such risks through a variety of technical and non-technical activities, including those focused on C-SCRM for software and the associated full software lifecycle.

  • NIST suggest eight key practices for establishing a C-SCRM approach that can be applied to software:
    • Integrate C-SCRM across the organization.
    • Establish a formal C-SCRM program.
    • Know and manage critical components and suppliers. 5. Document how you would plan to address
    • Understand the organization’s supply chain. software for which a vulnerability is disclosed.
    • Closely collaborate with key suppliers.
    • Include key suppliers in resilience and improvement activities.
    • Assess and monitor throughout the supplier relationship.
    • Plan for the full lifecycle.”

[1] Defending Against Software Supply Chain Attacks (cisa.gov)

 

 

how avertium is protecting our customers

It’s important to get ahead of the curve by being proactive with protecting yourself and your organization, instead of waiting to put out a massive fire. Avertium offers the following services to keep you and your organization safe:

  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium’s offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills.

  • Fusion MXDR is the first MDR offering that fuses together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is great than the sum of its parts.

  • Avertium offers Vulnerability Management to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.

  • Avertium offers Zero Trust Architecture, like AppGate, to stop malware lateral movement.

  • Avertium offers user awareness training through KnowBe4. The service also Incident Response Table-Top exercises (IR TTX) and Core Security Document development, as well as a comprehensive new-school approach that integrates baseline testing using mock attacks.

 

 

INDICATORS OF COMPROMISE (IoCS)

SHA-1

  • 0CA1723AFE261CD85B05C9EF424FC50290DCE7DF
  • 3A63477A078CE10E53DFB5639E35D74F93CEFA81
  • 9D8BADE2030C93D0A010AA57B90915EB7D99EC82
  • F6760FB1F8B019AF2304EA6410001B63A1809F1D

IP Address

  • 23.254.211[.]230
  • 38.108.185[.]79
  • 38.108.185[.]115
  • 172.93.201[.]88

FileHash-SHA256

  • 3cf7232e5185109321921046d039cf10
  • 451c23709ecd5a8461ad060f6346930c
  • 6426fe4dc604c7f1784ed1d48ab4ffc8
  • 760c35a80d758f032d02cf4db12d3e55
  • 76111d9780b2d0b5adee61cf752d937e
  • 9e4d9edb07c348b10863d89b6bb08141
  • aac5a52b939f3fe792726a13ff7a1747
  • af2bc70f1c97a2f583f7b87aea3c8a6c
  • c01dc42f65acaf1c917c0cc29ba63adc
  • cedb9cdbad254f60cfb215b9bff84fb9
  • fc41cb8425b6432af8403959bb59430d
  • 0ca1723afe261cd85b05c9ef424fc50290dce7df
  • 1c66e67a8531e3ff1c64ae57e6edfde7bef2352d
  • 2acc6f1d4656978f4d503929b8c804530d7e7cf6
  • 3a63477a078ce10e53dfb5639e35d74f93cefa81
  • 3b88cda62cdd918b62ef5aa8c5a73a46f176d18b
  • 58b0516d28bd7218b1908fb266b8fe7582e22a5f
  • 5b03294b72c0caa5fb20e7817002c600645eb475
  • 65122e5129fc74d6b5ebafcc3376abae0145bc14
  • 7491bd61ed15298ce5ee5ffd01c8c82a2cdb40ec
  • 9d8bade2030c93d0a010aa57b90915eb7d99ec82
  • cad1120d91b812acafef7175f949dd1b09c6c21a
  • d288766fa268bc2534f85fd06a5d52264e646c47
  • dcef83d8ee080b54dc54759c59f955e73d67aa65
  • f6760fb1f8b019af2304ea6410001b63a1809f1d
  • 4257bb11570ed15b8a15aa3fc051a580eab5d09c2f9d79e4b264b752c8e584fc
  • 492a643bd1efdaca4ca125ade1b606e7bbf00e995ac9115ac84d1c4c59cb66dd
  • 5a07b09eea34d7faa9c37e2806a556cd95f97699597bd1123339849b6e942d95
  • 5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8
  • 9352625b3e6a3c998e328e11ad43efb5602fe669aed9c9388af5f55fadfedc78
  • aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973
  • cc307cfb401d1ae616445e78b610ab72e1c7fb49b298ea003dd26ea80372089a
  • e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a
  • ea31e626368b923419e8966747ca33473e583376095c48e815916ff90382dda5
  • eebb01932de0b5605dd460cc82844d8693c00ea8ab5ffdf8dbede6528c1c18fd
  • f638e5a20114019ad066dd0e856f97fd865798d8fbed1766662d970beff65

 

 

Related Resource:

 

 

SUPPORTING DOCUMENTATION

Mandiant Security Update – Initial Intrusion Vector | 3CX

What is a Social Media Threat? Attacks & Security | Proofpoint US

X_Trader Supply Chain Attack Affects Critical Infrastructure Organizations in U.S. and Europe | Symantec Enterprise Blogs (security.com)

Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach (thehackernews.com)

Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack | WeLiveSecurity

3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible | Mandiant

3CX Security Update 11 April 2023 | Mandiant Initial Results

3CX confirms North Korean hackers behind supply chain attack (bleepingcomputer.com)

3CX Supply Chain Attack: Big Questions Remain | CRN

3CX Supply Chain Compromise Leads to ICONIC Incident | Volexity

5 Ways Social Media Impacts Cybersecurity | eWEEK

Lazarus Group Adds Linux Malware to Arsenal in Operation Dream Job (thehackernews.com)

ESET Research discovers new Lazarus DreamJob campaign and links it to phone provider 3CX supply-chain attack | ESET

Mandiant Security Update – Initial Intrusion Vector | 3CX

Operation ‘Dream Job’ Widespread North Korean Espionage Campaign – ClearSky Cyber Security (clearskysec.com)

Hackers compromise 3CX desktop app in a supply chain attack (bleepingcomputer.com)

3CX hack caused by trading software supply chain attack (bleepingcomputer.com)

Defending Against Software Supply Chain Attacks (cisa.gov)

Dream-Job-Campaign.pdf (clearskysec.com)

Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack - AlienVault - Open Threat Exchange

 

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.

 

COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.

Chat With One of Our Experts




Threat Report Lazarus group supply chain risk Supply Chain Attack Lazarus 3CX Blog