From
Send to

N. Korea uses upgraded backdoor scheme to attack US video-conferencing firm 3CX

April 20, 2023 - 21:49 By Yonhap
South Korean army soldiers stand guard at a military post at the Imjingak Pavilion in Paju, South Korea, near the border with North Korea, Thursday, April 13, 2023. (AP)

North Korea has used its upgraded skills to stage a backdoor attack against the network of US virtual phone service company 3CX last month, Mandiant, Google's cybersecurity unit, said Thursday.

3CX, which provides online voice, video conferencing and messaging services for businesses, saw its network chain had been attacked by information-stealing malware planted by a hacker cluster named UNC4736. It is known to be a Lazarus sub-group dubbed Labyrinth Chollima, while Lazarus is one of the North Korean government-led secret operations organizations.

"We believe a North Korean nexus threat actor, who we are calling UNC4736, was behind this attack," Charles Carmakal, consulting chief technology officer at Mandiant, said at an online media briefing.

He said Mandiant, which has worked with 3CX to look into the massive breach, discovered that the hackers have not directly attacked the company's network. Instead, they had planted the malware into a separate software package of X Trader, a US financial trading application, and led to the malicious code being transferred to the 3CX network through a 3CX employee's personal computer.

"What happened was an employee of 3CX installed the X Trader software on his personal computer, and it ended up deploying a backdoor on his personal computer, because the X Trader software was laced with malware that we call a veiled signal."

The Mandiant official said the method employed in the attack was higher and more sophisticated than the previous schemes that North Korea had used in committing cybercrimes.

"This is very notable to Mandiant because this is the first time that we've ever observed a software supply chain attack lead to another software supply chain attack," he said. "A North Korean threat actor really stepped up their skill and their sophistication, such that they're able to conduct a cascading software supply chain attack."

The company also said North Korea's latest attack against 3CX is targeting cryptocurrency, widely believed to be a source of funding for the reclusive country's nuclear program.

"I think this is likely financially motivated as sort of an end goal, but this targeting also appears to be somewhat opportunistic in terms of the software supply chain," said Ben Read, head of cyber espionage analysis at Mandiant. "This backdoor would allow the North Korean actors in this case to gather some rudimentary information about the server and, sort of more importantly, pull down additional malware to enable more functionality and spread throughout the network." (Yonhap)