Response to Lazarus' 3CX Supply Chain Compromise
Contents
In March 2023, multiple security vendors began reporting the detection of malicious activity coming from a legitimate and signed binary called “3CXDesktopApp”. The activity was detected on March 22, 2023, when users of 3CX began to notice potential false-positive detections of 3CXDesktopApp by their endpoint security agents.
The compromised binary in this case is a software-based Private Automatic Branch Exchange (PABX) Voice over Internet Protocol (VoIP) phone system developed by the company 3CX, and it was compromised through a supply chain attack suspected to have the involvement of the North Korean-based adversary known as Lazarus Group. Lazarus Group, also known as Hidden Cobra, is a state-sponsored adversary attributed to the Reconnaissance General Bureau (RGB) of the Democratic People’s Republic of Korea (DPRK), whose activities were previously emulated by AttackIQ in early 2023.
According to the intelligence reported by CrowdStrike, the malicious activity detected includes beaconing information to adversary-controlled infrastructure, deploying second-stage payloads …
The compromised binary in this case is a software-based Private Automatic Branch Exchange (PABX) Voice over Internet Protocol (VoIP) phone system developed by the company 3CX, and it was compromised through a supply chain attack suspected to have the involvement of the North Korean-based adversary known as Lazarus Group. Lazarus Group, also known as Hidden Cobra, is a state-sponsored adversary attributed to the Reconnaissance General Bureau (RGB) of the Democratic People’s Republic of Korea (DPRK), whose activities were previously emulated by AttackIQ in early 2023.
According to the intelligence reported by CrowdStrike, the malicious activity detected includes beaconing information to adversary-controlled infrastructure, deploying second-stage payloads …