North Korean Hackers Use Trojanized 3CX DesktopApp in Supply Chain Attacks

Written by

Threat actors suspected to be operating for the North Korean government have been observed trojanizing versions of the voice and video calling desktop client 3CX DesktopApp to launch attacks against several victims.

The Symantec threat intelligence team shared the findings in an advisory published earlier today, explaining the attackers’ tactics were similar to those used against SolarWinds in 2022.

Read more on SolarWinds here: SEC Announces ‘Enforcement Action’ For SolarWinds Over 2020 Hack

“In an attack reminiscent of SolarWinds, installers for several recent Windows and Mac versions of the software were compromised and modified by the attackers in order to deliver additional information stealing malware to the user’s computer,” reads the technical write-up. 

According to the security team, the information gathered by the malware possibly enabled attackers to gauge if the victim was a candidate for further compromise.

“This is a classic supply chain attack, designed to exploit trust relationships between an organization and external parties; this includes partnerships with vendors or the use of a third-party software which most businesses are reliant on in some way,” commented Lotem Finkelstein, director of threat intelligence & research at Check Point Software.

“This incident is a reminder of just how critical it is that we do our due diligence in terms of scrutinizing who we conduct business with.”

Symantec also confirmed it warned 3CX about the attacks, with the company advising users to immediately uninstall the app as it works on an update addressing the issue in the next few hours.

“This is, unfortunately, a recurrence of an issue we have seen many times before and most likely will see again in the future,” said Michael White, technical director and principal architect at Synopsys.

“The good news is that the wider industry as well as government initiatives driven by groups such as NIST and CISA have already proposed a suite of countermeasure techniques which can be adopted such as SLSA and the guidance found within the NIST SSDF.”

The Symantec advisory comes months after CISA, NSA and npm released their most recent software supply chain guidance.

What’s hot on Infosecurity Magazine?