Lazarus and the 3CX Double Software Supply Chain Attack
Contents
®
LAZARUS AND THE 3CX DOUBLE SOFTWARE SUPPLY CHAIN ATTACK
May 2, 2023
EXECUTIVE SUMMARY
In March 2023, threat actors compromised the desktop application of 3CX, a popular Voice Over Internet Protocol (VoIP) phone system software provider, in a supply chain attack. The threat actors gained access to 3CX’s build server and injected a malicious backdoor into the application’s setup package. The threat actors were then able to steal data and execute commands on infected devices.
The chaos didn’t stop there. After the initial compromise, Mandiant investigated the 3CX supply chain attack and found that the North Korean cluster UNC4736 was involved. Also, Kaspersky found that the North Korean APT, Lazarus, deployed a backdoor named Gopuram onto the devices of some 3CX customers, as a second-stage payload during the same incident. Gopuram has been known to be used by the North Korean threat actor Lazarus to target cryptocurrency companies since 2020. After much speculation, security …
LAZARUS AND THE 3CX DOUBLE SOFTWARE SUPPLY CHAIN ATTACK
May 2, 2023
EXECUTIVE SUMMARY
In March 2023, threat actors compromised the desktop application of 3CX, a popular Voice Over Internet Protocol (VoIP) phone system software provider, in a supply chain attack. The threat actors gained access to 3CX’s build server and injected a malicious backdoor into the application’s setup package. The threat actors were then able to steal data and execute commands on infected devices.
The chaos didn’t stop there. After the initial compromise, Mandiant investigated the 3CX supply chain attack and found that the North Korean cluster UNC4736 was involved. Also, Kaspersky found that the North Korean APT, Lazarus, deployed a backdoor named Gopuram onto the devices of some 3CX customers, as a second-stage payload during the same incident. Gopuram has been known to be used by the North Korean threat actor Lazarus to target cryptocurrency companies since 2020. After much speculation, security …