The Week in Security: 3CX attackers identified as North Korean, CISA pushes Secure by Design

This week: New assessments show that the attackers behind the 3CX software supply chain attack are North Korean. Also: CISA has released a new policy initiative that puts the responsibility of cybersecurity on big tech.

This Week’s Top Story

New evidence finds that actors behind the recent 3CX software supply chain attack are North Korean

In late March, it was discovered that 3CX, a voice over IP (VOIP) solution, became the target of a software supply chain attack similar in execution to that of “SolarStorm,” the 2020 attack on SolarWinds Orion software. In the 3CX attack, malicious actors who were previously unknown tampered with the company’s software update for its 3CXDesktopApp, which resulted in malware being served to the company’s customer base. Now, 3CX has confirmed that the actors behind this targeted attack are based in North Korea.

This was confirmed based on an interim assessment performed by security firm Mandiant, which 3CX enlisted to aid them in the aftermath of this attack. CrowdStrike, another security firm, has also assessed the attack and has attributed it to a subgroup of Lazarus (Labyrinth Chollima), a North Korean-based cybercriminal group.

According to Mandiant’s research, these North Korean attackers managed to infect 3CX systems with a malware codenamed TAXHAUL, designed to both decrypt and load shellcode containing a “complex downloader” known as COLDCAT. 3CX made it known last week that it is only aware of a handful of cases in which the malware was actually activated on customers’ systems.

Unlike most other software supply chain attacks, which take place on public platforms that aim to impact as many users as possible, this attack on 3CX was clearly planned and targeted to take advantage of the company's customer base. To learn more about how this software supply chain attack on 3CX occurred, check out ReversingLabs reverse engineer Karlo Zanki’s analysis of the incident.

News Roundup

Here are the stories we’re paying attention to this week…

Secure by Design, Secure by Default (CISA)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a new resource that details the agency's newest goal for the tech industry: any and all products set to be released are secure by both design and by default. The hope is that this thinking will shift the burden of cyber threats away from consumers and small businesses.

U.S. cyber chiefs warn AI will help crooks, China develop nastier cyberattacks faster (The Register)

Bots like ChatGPT may not be able to pull off the next big Microsoft server worm or Colonial Pipeline ransomware super-infection, but they may help criminal gangs and nation-state hackers develop some attacks against IT, according to Rob Joyce, director of the NSA's Cybersecurity Directorate.

Hacked sites caught spreading malware via fake Chrome updates (BleepingComputer)

Hackers are compromising websites to inject scripts that display fake Google Chrome automatic update errors that distribute malware to unaware visitors. The campaign has been underway since November 2022, and it shifted up a gear after February 2023, expanding its targeting scope to cover users who speak Japanese, Korean, and Spanish.

Israel-based spyware firm QuaDream targets high-risk iPhones with zero-click exploit (The Hacker News)

Threat actors using hacking tools from an Israeli surveillance-ware vendor named QuaDream targeted at least five members of civil society in several continents in 2021. According to findings from the Citizen Lab, the spyware campaign was directed against journalists, political opposition figures, and an NGO worker.

Microsoft patches zero-day bug exploited by ransomware group (Bank Info Security)

Microsoft released updates for all versions of Windows to fix 114 vulnerabilities, including a zero-day flaw being exploited by crypto-locking extortionists. Microsoft said that "an attacker who successfully exploited this vulnerability could gain system privileges," giving them full access to the system.

Following the Lazarus group by tracking the DeathNote campaign (SecureList)

“The Lazarus group is a high-profile Korean-speaking threat actor with multiple sub-campaigns (..) In this blog, we’ll focus on an active cluster that we dubbed DeathNote because the malware responsible for downloading additional payloads is named Dn.dll or Dn64.dll.”