North Korea Hacking Cryptocurrency Sites with 3CX Exploit

News:

Researchers at Russian cybersecurity firm Kaspersky today revealed that they identified a small number of cryptocurrency-focused firms as at least some of the victims of the 3CX software supply-chain attack that’s unfolded over the past week. Kaspersky declined to name any of those victim companies, but it notes that they’re based in “western Asia.”

Security firms CrowdStrike and SentinelOne last week pinned the operation on North Korean hackers, who compromised 3CX installer software that’s used by 600,000 organizations worldwide, according to the vendor. Despite the potentially massive breadth of that attack, which SentinelOne dubbed “Smooth Operator,” Kaspersky has now found that the hackers combed through the victims infected with its corrupted software to ultimately target fewer than 10 machines­—at least as far as Kaspersky could observe so far—­and that they seemed to be focusing on cryptocurrency firms with “surgical precision.”

Tags: , , , , , ,

Posted on April 4, 2023 at 10:10 AM8 Comments

Comments

Les Ebner April 4, 2023 11:19 AM

The headline screams “MASSIVE” but the article says “breaking into a handful of cryptocurrency companies.”

Another Andy Greenberg classic: attract readers to relatively mundane events with hyperbole. I wonder if he is mildly embarrassed by such ploys.

Doesn’t matter, Schneier consistently gives him coverage.

Winter April 4, 2023 11:52 AM

@Less Ebner

The headline screams “MASSIVE” but the article says “breaking into a handful of cryptocurrency companies.”

That is because the author never writes the headline. A prenial complaint of journalists towards the publishers.

But you might not care. Your wording make it seem you are just looking for an excuse to discredit the author and our host.

iAPX April 4, 2023 12:35 PM

If the author doesn’t write the headline, it’s not the author and if this person have any ethic it should have asked for its name to be removed if not refusing to work in these conditions.

The headline is part of the article and should be vetted by the author.

Winter April 4, 2023 1:24 PM

@iAPX

If the author doesn’t write the headline, it’s not the author and if this person have any ethic it should have asked for its name to be removed if not refusing to work in these conditions.

It think your suggestion is silly. At least, that is what the publishing world thinks.

Maybe it is time to inform ourselves about this aspect of the publishing world.

‘https://www.washingtonexaminer.com/lets-stop-arguing-with-headlines-that-the-writer-didnt-write

‘https://archive.thinkprogress.org/why-writers-dont-write-headlines-558decd956d4/

‘https://en.wikipedia.org/wiki/Headline

Robin April 5, 2023 3:11 AM

Complaining about headlines while ignoring the content of an article reminds me of squirrels.

ResearcherZero April 6, 2023 12:41 AM

“Users are reporting a popup that offers a file “update.exe.” This in itself is, of course, highly suspicious. But I was not able to reproduce the issue.”

…The use of obfuscated code is indeed very odd…

Both files are only marked as malicious by two scanners right now: Crowdstrike Falcon and Cynet.

‘https://isc.sans.edu/diary/Supply+Chain+Compromise+or+False+Positive+The+Intriguing+Case+of+efilecom+updated+confirmed+malicious+code/29708

ResearcherZero April 6, 2023 1:42 AM

Uninstall the 3CX Electron Desktop Application from all Windows or Mac OS computers.

Switch to using the PWA Web Client App rather than Desktop App. Read more about this here and how to switch to PWA.
‘https://www.3cx.com/blog/news/security-incident-updates/

“The component loaded by the library is Gopuram’s main module. As mentioned above, its name in the export directory is guard64.dll. The job of the main module is to connect to a C2 server and request commands. The backdoor implements commands that allow the attackers to interact with the victim’s file system and create processes on the infected machine. Gopuram was additionally observed to launch in-memory modules. Just like the implants used in the 3CX campaign.”
‘https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/

be water my friend April 6, 2023 10:22 PM

FWIW there are several ads for 3CX on the Distrowatch.com website. Nothing about the exploit, however.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.