With a deep understanding of the complexities of the Dark Web, Harper curates informative and thought-provoking content for our readers. Her knowledge of the hidden corners of the internet and cybersecurity helps shed light on the often mysterious and illicit activities that take place in this realm.
Latest posts by Harper Stewart (see all)
- Dark Web Trio Sentenced - October 15, 2023
- Dymocks Data: Darknet Hit? - October 15, 2023
- Dark Web Forum Shows How to Synthesize Methamphetamine at Home - October 4, 2023
A supply chain attack directed at 3CX was caused by an earlier supply chain compromise linked to another company, indicating a higher degree of sophistication among North Korean threat actors.
The strike, monitored by Mandiant (owned by Google) and referred to as UNC4736, represents the first case in which a “software supply chain attack” led to another similar attack.
A Matryoshka doll-style cascading supply chain attack was uncovered on March 29, 2023, targeting 3CX. The attack trojanized Windows and macOS versions of the company’s communication software to distribute a C/C++-based data miner, ICONIC Stealer, via a downloader named SUDDENICON. T
The malware targeted users of web browsers such as Chrome, Edge, Brave, and Firefox, attempting to extract sensitive information, as per the U.S. Cybersecurity and CISA analysis. In some cryptocurrency-related attacks, a next-stage backdoor called Gopuram was employed, permitting contact with the individual’s directory system and the executing of further operations.
Malicious Software Supply Breach
Mandiant reported that the recent cyber attack originated from a tainted version of a discontinued software downloaded by a 3CX worker to their personal computer. The attack began with a compromised X_TRADER installer that introduced two trojanized DLLs and an innocuous executable file, which allowed the loading of one of the DLLs that impersonates a genuine dependency.
Cyber criminals used open source tools SIGFLIP and DAVESHELL to install VEILEDSIGNAL, a programmable entryway with multiple stages in C, to extract data, execute shellcode, and self-terminate. The backdoor was used to infiltrate an employee’s computer and obtain corporate credentials, which were used to access 3CX’s network through a VPN.
The hackers expanded their reach by disregarding the build environments for Windows and Mac using such tools as TAXHAUL, COLDCAT, and POOLRAT, enabling them to maintain persistence and access privileges.
North Korean-linked UNC4736 and Lazarus Group shared a command-and-control domain in Operation Dream Job. Mandiant linked the Trading Technologies breach to financially motivated Operation AppleJeus, which abused a Chrome zero-day to infect visitors with a trojanized X_TRADER package. AppleJeus used POOLRAT to spread malicious trading apps. The attack’s scope is unknown, and 3CX implemented security measures. North Korean operators can distribute malware according to their interests.