Business communication company 3CX recently reported that it was the victim of a supply chain attack. On Tuesday, 3CX confirmed that the attack was likely conducted by North Korean hackers. Google-owned Mandiant is currently investigating the breach and has released some information from their initial analysis.
Mandiant found that the hackers targeted 3CX Windows systems with a piece of malware named Taxhaul. The malware is designed to deploy a downloader tracked by Mandiant as Coldcat. In addition to Taxhaul, the hackers also deployed a macOS backdoor called Simplesea. Simplesea allows attackers to execute shell commands, and transfer and execute files.
Kaspersky and CrowdStrike previously reported finding links to North Korean state-sponsored threat actors, specifically to Lazarus or one of its subgroups. Kaspersky’s own data suggested that the attack was aimed at cryptocurrency companies, as North Korean hackers have been known to steal large amounts of cryptocurrency.
3CX has shared YARA rules and indicators of compromise (IoCs) that can be used to detect the malware and connections to the attacker’s infrastructure. They have also described some of the steps they are taking to improve the security of their applications.
The initial investigations conducted by several cybersecurity firms indicated that 3CX was likely breached sometime in the fall of 2022, but it’s believed that the operation was still in its initial stages when the intrusion was detected.
In summary, 3CX recently reported a supply chain attack that was likely conducted by North Korean hackers. Mandiant has found evidence of two pieces of malware, Taxhaul and Simplesea, used in the attack. Kaspersky and CrowdStrike have found links to North Korean state-sponsored threat actors. 3CX has shared YARA rules and IoCs to help detect the malware and connections to the attacker’s infrastructure, and has taken steps to improve the security of their applications.
• 3CX recently reported a supply chain attack conducted by North Korean hackers.
• Mandiant found evidence of Taxhaul and Simplesea malware used in the attack.
• Links to North Korean state-sponsored threat actors were found by Kaspersky and CrowdStrike.
• 3CX has shared YARA rules and IoCs, and taken steps to improve their security.