Amid reports of issues with the 3CX Desktop App, a multinational corporation suspects a supply chain attack that compromised the software. Unusual network traffic and performance degradation led to the discovery of malware associated with recent updates. Investigation points towards North Korea’s Lazarus group as the potential threat actor. Affected: 3CX software, multinational corporations
Keypoints :
- A multinational corporation relies heavily on the 3CX software for phone communication.
- Antivirus alerts flagged instances of the 3CX desktop application being wiped.
- IT team initially dismissed alerts as false positives, leading to degraded performance.
- Strange network traffic directed towards unknown servers was detected.
- Investigations linked issues to recent software updates, indicating a supply chain attack.
- Suspected threat actor involved is the Lazarus group, associated with North Korea.
- Malicious files identified include ffmpeg.dll and d3dcompiler_47.dll.
- Techniques used include DLL side-loading and evasion of virtual environments.
- Compromised software version and timestamps were identified during the investigation.
MITRE Techniques :
- T1574.002 – DLL Side-Loading technique was employed by the malicious .msi files.
- T1497 – Virtualization/Sandbox Evasion technique used by the DLLs.
Indicator of Compromise :
- [SHA 256] 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983
Full Story: https://systemweakness.com/cyberdefenders-write-up-3cx-supply-chain-a4fb85c69275?source=rss——cybersecurity-5