"3CX’s Software Supply Chain Compromise: Lessons Learned" published by ReversingLabs. #3CXDesktopApp, #Lazarus, #DPRK, #CTI https://www.reversinglabs.com/blog/lessons-learned-from-3cxs-software-supply-chain-compromise

"That's a lot of Single Points of Failure" published by Tay. #3CXDesktopApp, #Hyperliquid, #Lazarus, #Radiant, #DPRK, #CTI https://archive.is/82lZ3

"ROK-UK Joint Cyber Security Advisory(DPRK S/W supply chain attacks)" published by KRNCSC. #3CXDesktopApp, #News, #MagicLine4NX, #CTI, #OSINT, #LAZARUS https://www.ncsc.go.kr:4018/main/cop/bbs/selectBoardArticle.do?bbsId=SecurityAdvice_main&nttId=93472

"State-Sponsored Financially Motivated Attacks" published by Microsoft. #CitrineSleet, #Cryptocurrency, #Slides, #3CXDesktopApp, #CTI, #OSINT, #LAZARUS https://speakerdeck.com/fr0gger/state-sponsored-financially-motivated-attacks

"Analyzing state-sponsored malware on macOS" published by Jamf. #macOS, #JokerSpy, #3CXDesktopApp, #JumpCloud, #RustBucket, #CTI, #OSINT, #LAZARUS https://www.jamf.com/blog/threat-hunting-unraveling-malware-tactics/

"IT threat evolution Q2 2023" published by Kaspersky. #Trend, #3CXDesktopApp, #Trend, #Andariel, #DeathNote, #CTI, #OSINT, #LAZARUS https://securelist.com/it-threat-evolution-q2-2023/110355/

"Mac-ing Sense of the 3CX Supply Chain Attack: Analysis of the macOS Payloads" published by Objecive-see. #SmoothOperator, #3CXDesktopApp, #CTI, #OSINT, #LAZARUS https://speakerdeck.com/patrickwardle/mac-ing-sense-of-the-3cx-supply-chain-attack-analysis-of-the-macos-payloads

"Smooth Operator" published by UKNCSC. #SmoothOperator, #3CXDesktopApp, #CTI, #OSINT, #LAZARUS https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/smooth-operator/NCSC_MAR-Smooth-Operator.pdf

"Security Update Mandiant Initial Results" published by 3CX. #SupplyChain, #UNC4736, #SmoothOperator, #TAXHAUL, #3CXDesktopApp, #CTI, #OSINT, #LAZARUS https://www.3cx.com/blog/news/mandiant-initial-results/

Tools, Code Used to Hack 3CX Desktop Confirm Lazarus Cyberespionage Group's Involvement https://www.bankinfosecurity.com/north-korean-lazarus-group-linked-to-3cx-supply-chain-hack-a-21597 The shellcode sequence appears to have been only used in the ICONIC loader and the APPLEJEUS malware, which is known to be linked to Lazarus. Prajeet Nair #lazarus #nkorea #3cxdesktopapp

@sebsauvage
Corruption de la chaîne d'approvisionnement chez l'éditeur de softphone #3cx

Plusieurs utilisateurs indiquent que leurs mot de passe stocke dans leur navigateur ont été volé et utilisé
Les DSI de grosse entreprise comme Pepsi et Mercedes sont très remonté

Le temps de valider l'alerte chez nous, désinstallation en catastrophe de #3cxdesktopapp sur l'ensemble du parc en attendant lundi
#3cxapocalypse

https://www.huntress.com/blog/contextualizing-events-enabling-defense-what-3cx-means

For any #3CX #3CXDesktopApp users - a reminder to MOVE AWAY FROM the Electron-based desktop app, and migrate to the browser variant (PWA) ASAP for continuity of operations while satisfying security concerns!
https://www.3cx.com/blog/news/pwa-vs-windows-legacy-app/

Originally posted by The Hacker News / @TheHackersNews: http://nitter.platypush.tech/TheHackersNews/status/1641737567715438592#m

R to @TheHackersNews: The attack appears to have compromised 3CX's software build pipeline to distribute Windows and #macOS versions of the app package or poisoned an upstream dependency. The scale of the attack is currently unknown. 🔎

#cybersecurity #3CX #3CXpocalypse #3CXDesktopApp

So it looks like MacOS versions of #3CXDesktopApp were dorked potentially as early as January - but reporting from CyberScoop (https://cyberscoop.com/3cx-supply-chain-attack/) indicates there were only a few thousand MacOS installs. When the Windows version debuted in March, the dorked update would've gone out to tens if not hundreds of thousands of endpoints quickly. Unlike incidents such as Kaseya where automated actions led to scripted ransomware deployment, #3CX compromise appears to prep for interactive post-access ops.

WTF would you do if suddenly you had 10-100k compromised endpoints and no easy way to quickly triage them?

If this was #DPRK or #Lazarus affiliated, this is the second time they shot themselves in the dick after Wannacry.

#CTI #ThreatIntel

The first reflective loader used in the 3CX supply chain attack is based on sRDI (DAVESHELL). Here is an Intezer gene analysis of the shellcode: https://analyze.intezer.com/analyses/7153edf9-7d0f-4892-a1b0-342baf7c14ee

Here is the DLL it loads: https://analyze.intezer.com/analyses/e48d000e-9a87-4cd6-b587-4fad1654e75e

Some of the "additional code" that was added to ffmpeg was extracted and analyzed here: https://analyze.intezer.com/analyses/198ca441-017a-4657-ad87-43956a174b50. Under the code tab, you generate a yara rule that can be used to hunt for similar compromised files.

#malware #threatintelligence #3cx #3CXDesktopApp

📢 SentinelOne has dubbed the attack "Smooth Operator," while CrowdStrike suspects the involvement of a North Korean government-state actor known as LABYRINTH CHOLLIMA.

Read more: https://www.hackread.com/3cx-desktop-app-supply-chain-attack/

#Security #3CX #3CXDesktopApp #CyberAttack #Cybersecurity

Referenced link: https://thehackernews.com/2023/03/3cx-desktop-app-targeted-in-supply.html
Discuss on https://discu.eu/q/https://thehackernews.com/2023/03/3cx-desktop-app-targeted-in-supply.html

Originally posted by The Hacker News / @TheHackersNews: http://nitter.platypush.tech/TheHackersNews/status/1641423529274134529#m

⚠️ 🚨 Active supply chain attack targets popular voice and video conferencing software #3CXDesktopApp, affecting hundreds of well-known brands and millions of users.

Learn more: https://thehackernews.com/2023/03/3cx-desktop-app-targeted-in-supply.html

#cybersecurity #hacking #infosecurity