A recent supply chain attack on 3CX revealed a new level of sophistication among North Korean threat actors. This incident, tracked as UNC4736 by Google-owned Mandiant, marks the first known instance of a software supply chain attack leading to another software supply chain attack, like a Matryoshka doll.

Unraveling the layers of the 3CX attack

The cascading attack against 3CX first came to light on March 29, 2023, when it was discovered that both Windows and macOS versions of the communication software were trojanized. The attackers used a C/C++-based data miner named ICONIC Stealer and a downloader called SUDDENICON to compromise the software.

Mandiant’s investigation has traced the origin of the attack to a malicious version of a discontinued software by a fintech company called Trading Technologies. The software was downloaded by a 3CX employee to their personal computer, leading to the subsequent compromise of the employee’s corporate credentials and unauthorized access to 3CX’s network.

Once inside the 3CX environment, the attackers breached the Windows and macOS build environments, deploying various tools and backdoors to maintain persistence and control. The attackers then utilized open-source tools and a multi-stage modular backdoor named VEILEDSIGNAL to carry out their objectives.

North Korean Nexus and Lazarus group connection

UNC4736 is suspected to be a North Korean threat group, with links to the notorious Lazarus Group and their Operation Dream Job campaign. Similarities between the compromised apps and a history of financially motivated attacks indicate a strong connection between the two groups.

Evidence gathered by Mandiant also points to the breach of Trading Technologies’ website, which took place in early February 2022. The site was compromised using a then zero-day flaw in Google Chrome (CVE-2022-0609) to activate a multi-stage infection chain responsible for serving unknown payloads to site visitors.

Protecting against future cascading attacks

In response to the Matryoshka-style cascading attack, 3CX has announced measures to harden its systems and minimize the risk of future nested software-in-software supply chain attacks. These steps include enhancing product security, implementing tools to ensure software integrity, and establishing a new department for Network Operations and Security.

This cascading supply chain attack serves as a reminder of the evolving threats posed by North Korean hackers and the need for organizations to remain vigilant and proactive in securing their networks and software.