Mandiant says 3CX attack probably came from North Korea

A report prepared by Google’s Mandiant security business identifies a North Korean hacking team as the most likely source of a supply chain attack against a softphone made by 3CX.

The attack emerged late March, when security scans by SentinelOne and CrowdStrike barred the software.

At the time, SentinelOne said that "the trojanised 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from GitHub and ultimately leads to a third stage infostealer DLL still being analysed as of the time of writing”.

3CX warned users to uninstall the desktop version and switch to a Web version, and engaged Mandiant to find out what had happened.

CEO Nick Galea has now detailed the initial results of Mandiant’s work.

According to Galea, Mandiant attributed the attack to “a cluster named UNC4736."

"Mandiant assesses with high confidence that UNC4736 has a North Korean nexus.”

Windows systems, Galea said, were attacked with a loader called TAXHAUL, while MacOS attacks used a backdoor called SIMPLESEA, which Mandiant is still analysing.

The Windows attacks achieved persistence via DLL side-loading, and command and control domains the malware used included azureonlinecloud[.]com, akamaicontainer[.]com, journalide[.]org and msboxonline[.]com.

In a separate post, Galea also promised a security-only update of the 3CX software.

A QA release of the update is expected this week, he said, with alpha and beta releases next week ahead of general availability.

Security features of the update will include hashing of all web login passwords to remove admin access to them; removal of security information including passwords from the welcome email; and web admin access will be restricted by IP address.

While there will be an update to the desktop client, 3CX still recommends users favour the web application.