Jörg Abraham
April 25, 2023

3CX Incident Attributed to North Korea; New LockBit MacOS Sample

Blog

tap 7 - 2023

Mandiant Attributes 3CX Supply Chain Attack to North Korean Activity Cluster

On April 11, 2023, 3CX reported that Mandiant - who investigated the supply chain attack using a digitally signed 3CXDesktopApp installer - attributes the attack to an activity cluster named UNC4736. Mandiant assesses with high confidence that UNC4736 has a North Korean nexus. [1

Mandiant´s assessment corroborates findings from Crowdstrike [2] and Kaspersky [3] who analyzed the infected 3CXDesktopApp. Kaspersky discovered a backdoor - dubbed Gopuram - that the company links to North-Korean-backed Lazarus group, an umbrella organization containing multiple threat actor subgroups. Crowdstrike´s analysis of the payload concluded that the “HTTPS beacon structure and encryption key match those observed in a March 7, 2023, campaign”. Crowdstrike attributes the pattern with high confidence to a Democratic People’s Republic of Korea (DPRK) adversary tracked LABYRINTH CHOLLIMA. 

3CX did not disclose how the actor initially compromised its network. 

Mandiant analysis revealed the actor infected 3CX systems with a loader named TAXHAUL (aka “TxRLoader”). The loader decrypts and executes shellcode, eventually installing the final payload dubbed COLDCAT. Mandiant noted that COLDCAT differs from GOPURAM, a malware observed by Kaspersky. Mandiant also detected a MacOS variant named SIMPLESEA. 

Microsoft Patches Zero-Day Vulnerability Used in Ransomware Attacks  

Microsoft patched a zero-day vulnerability in the Windows Common Log File System (CLFS) that is actively exploited by cybercriminals to escalate privileges and deploy Nokoyawa ransomware. 

The vulnerability CVE-2023-28252 affects all currently supported Windows server and client versions. It can be exploited by local attackers in low-complexity attacks without user interaction. 

Kaspersky security researchers observed exploitation of CVE-2023-28252 in Nokoyawa ransomware attacks.[4] The company reported the Nokoyawa ransomware gang has leveraged at least five other exploits targeting the Common Log File System (CLFS) driver since June 2022. The group is financially motivated and has targeted multiple industries including but not limited to retail and wholesale, energy, manufacturing, healthcare, and software development. 

EclecticIQ analysts observed that more cybercriminal groups have the capabilities and resources to either develop or acquire zero-day exploits. Utilization of zero-days is no longer an exclusive tool of choice for Advanced Persistent Threat actors (APTs) but may also be used by more common cybercrime actors. 

EclecticIQ Analyzed LockBit MacOS Sample - Non-obfuscated & Likely Test Build   

MalwareHunterTeam reported a LockBit ransomware macOS arm64 variant. [5] MalwareHunterTeam believes this is the first public alert about LockBit samples targeting Apple devices.  

EclecticIQ analysts examined a sample and concluded that it is not evasive and likely a test build. The sample uses a simple XOR routine to decrypt all config data. The XOR key uses a static value of "57". It also utilizes the libsoduim encryption library that is commonly detected by security products. It is very likely that the sample is a proof-of-concept, or someone trying to compromise macOS targets quickly. 

Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default  

CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, the Netherlands, and New Zealand (CERT NZ, NCSC-NZ) jointly developed “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.”[6

The document urges software manufacturers to develop and build products that are Secure-by-Design and Secure-by-Default. Secure-by-Design refers to products where the security of the customers is a core business goal, not just a technical feature. Secure-by-Default means that products are resilient against prevalent exploitation techniques out of the box without additional charge. These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. 

The paper includes core guiding principles and lists technical recommendations and tactics for software manufacturers in building software security into their design processes prior to developing, configuring, and shipping their products. EclecticIQ analysts assess that the document underpins the fact that further investments and cultural shifts are necessary to achieve a high standard of software security. The guide does not set any law-binding agreements, nor does it set measurable goals. Yet, it may stimulate legislative deliberation at the national and international level with regards to technology investments, customer protection, or liability law. 

 

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack: TAXII v1 Discovery services.

Please refer to our support page for guidance on how to access the feeds.

About EclecticIQ Intelligence and Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.

You might also be interested in:

Exposed Web Panel Reveals Gamaredon Group's Automated Spear Phishing Campaigns

Cybercriminals Exploit SVB’s Collapse; Emotet Returns & BatLoader Abuses Google Ads 

DeFi Hack Recovers Stolen Funds; Blacklotus Bypasses Windows Secure Boot


Appendix

[1] P. Jourdan, “Security Update Mandiant Initial Results,” 3CX, Apr. 11, 2023. https://www.3cx.com/blog/news/mandiant-initial-results/ (accessed Apr. 17, 2023). 

[2] CrowdStrike, “CrowdStrike Prevents 3CXDesktopApp Intrusion Campaign,” crowdstrike.com, Mar. 29, 2023. https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/ (accessed Apr. 17, 2023). 

[3] “Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack,” Apr. 03, 2023. https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/ (accessed Apr. 17, 2023). 

[4] “Nokoyawa ransomware attacks with Windows zero-day,” Apr. 11, 2023. https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/ (accessed Apr. 17, 2023). 

[5] “MalwareHunterTeam auf Twitter,” Twitter. https://twitter.com/malwrhunterteam/status/1647384505550876675 (accessed Apr. 17, 2023). 

[6] “Security-by-Design and -Default | CISA,” Apr. 13, 2023. https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default (accessed Apr. 17, 2023). 

 

Talk to one of our experts

Protect your organization with cutting-edge threat intelligence. Book your free demo today and explore how our products and services can help you meet your security needs.
Book a call
cta-footer
Book a demo