There is a shred of growing evidence that North Korean actors were responsible for the 3CX software supply chain hack, as found by ESET researchers. The newly discovered piece of malware extends the evidence that a North Korean group hacked the supply chain.
In analyzing the backdoor, researchers from cybersecurity firm Eset found that it was tied to Pyongyang's latest fake job recruitment campaign, Operation Dream Job. This campaign recruits people for Pyongyang jobs. The Eset report indicates that North Korean hackers produce and use malware that works on all major desktop operating systems, including Windows, MacOS, and Linux.
There is no connection between Linux malware and the 3CX supply-chain attack disclosed in late March by Lazarus Group. However, ESET researchers said they were confident that the 3CX attack was conducted by this company. This is even though it does not seem related to the Linux malware. As the name suggests, this is less a distinct organization than it is an umbrella term for a variety of North Korean hacking groups, some state-sponsored, and some criminal, that work for the Hermit Kingdom, and that are based in the country.
A Trojan attack on 3CX's source code by North Korean hackers was publicly reported in late March, revealing their source code was stolen. A research team from Mandiant reported this week that they had traced the infection source to a previous attack on Trading Technologies' software supply chain.
Trading Technologies develops software used in financial trading. Researchers from Symantec said on Friday that they had identified two more victims of the Trading Technologies hack that occurred earlier this week.
There was no doubt throughout this whole investigation that the 3CX case had a North Korean connection from the very start. On March 29, a CrowdStrike engineer posted a message on a Reddit thread in which he reported that this had happened.
It has also been confirmed that a North Korean nexus was involved in the attack by a preliminary report to be presented to 3CX by Mandiant - hired to investigate the breach. As well as Syphos, Check Point, Broadcom, Trend Micro, and other security companies have also provided summaries of the events. Most of them attribute the compromise to a group aligned with North Korea, citing various reasons.
In addition to having more than 600,000 clients, 3CX according to their website, boasts several big names in the field. These include American Express, BMW, Air France, Toyota, IKEA, and many others. Shodan's search, conducted on March 30, found over 240,000 phone management systems exposed by 3CX. Huntress, a managed security service provider, reported on March 13, that it received 2,783 incident reports where the binary 3CXDesktopApp.exe matches known malicious hashes. In addition, it has a 3CX-certified certificate attached.
HSBC, a British multinational bank with a presence in more than 155 countries, offered software development services involving Linux backdoors revealed by ESET researchers.
It is believed that anyone who double-clicked on the PDF offer letter downloaded ESET's SimplexTea backdoor for Linux, an operating system known for its lack of security.
SimplexTea has similarities to Bluecall, a North Korean backdoor for Windows computers that had already been identified. This includes the use of domains to construct secure TLS connections similar to SimplexTea domains.
It is also worth noting that the SimplexTea backdoor used the same core implementation of the A5/1 cipher used by North Korean hackers to sabotage Sony Pictures' release of the comedy "The Interview", which depicts Kim Jong Un's death by fiery helicopter as a camera pans through the company's offices.
In addition to this direct connection, Eset also mentions that it shares the network infrastructure with the Trojanized VoIP software that serves as the backdoor for the 3CX hackers. As a command-and-control domain, each of these programs uses journalide.org as its point of control. There is also a similar method of loading the configuration files for SimplexTea malware and 3CX malware.
In a statement released by ESET, the North Korean actors have been identified as the Lazarus Group. Despite this, Mandiant has identified the documents as likely associated with UNC4736, also known as AppleJeus, a Pyongyang hacking activity motivated by profit.
According to Conversant Group's chief executive officer, John Anthony Smith, this Linux-based malware attack shows how threat actors are continuously expanding their arsenals, targets, tactics, and reach to circumvent security controls and practices in place. There is a growing trend among threat actors to expand the range of their malware variants to affect more systems, he added.