lazarusholic"3CX’s Software Supply Chain Compromise: Lessons Learned" published by ReversingLabs. #3CXDesktopApp, #Lazarus, #DPRK, #CTI https://www.reversinglabs.com/blog/lessons-learned-from-3cxs-software-supply-chain-compromise
"That's a lot of Single Points of Failure" published by Tay. #3CXDesktopApp, #Hyperliquid, #Lazarus, #Radiant, #DPRK, #CTI https://archive.is/82lZ3
"ROK-UK Joint Cyber Security Advisory(DPRK S/W supply chain attacks)" published by KRNCSC. #3CXDesktopApp, #News, #MagicLine4NX, #CTI, #OSINT, #LAZARUS https://www.ncsc.go.kr:4018/main/cop/bbs/selectBoardArticle.do?bbsId=SecurityAdvice_main&nttId=93472
"State-Sponsored Financially Motivated Attacks" published by Microsoft. #CitrineSleet, #Cryptocurrency, #Slides, #3CXDesktopApp, #CTI, #OSINT, #LAZARUS https://speakerdeck.com/fr0gger/state-sponsored-financially-motivated-attacks
"Analyzing state-sponsored malware on macOS" published by Jamf. #macOS, #JokerSpy, #3CXDesktopApp, #JumpCloud, #RustBucket, #CTI, #OSINT, #LAZARUS https://www.jamf.com/blog/threat-hunting-unraveling-malware-tactics/
"IT threat evolution Q2 2023" published by Kaspersky. #Trend, #3CXDesktopApp, #Trend, #Andariel, #DeathNote, #CTI, #OSINT, #LAZARUS https://securelist.com/it-threat-evolution-q2-2023/110355/
"Mac-ing Sense of the 3CX Supply Chain Attack: Analysis of the macOS Payloads" published by Objecive-see. #SmoothOperator, #3CXDesktopApp, #CTI, #OSINT, #LAZARUS https://speakerdeck.com/patrickwardle/mac-ing-sense-of-the-3cx-supply-chain-attack-analysis-of-the-macos-payloads
Mac-ing Sense of the 3CX Supply Chain Attack: Analysis of the macOS Payloads
Supply chain attacks are some of the most damaging cybersecurity incidents, capable of infecting a massive number of unsuspecting users and companies through widely used and trusted software. And although the majority of such attacks impact Windows-based computers, the recent nation-state attack against the popular PBX software provider 3CX, was also capable of infecting macOS systems. Believed to be the first "chained" supply chain attack (where initial access to 3CX was gained via a separate supply chain attack), this talk will focus on its macOS payloads. To start, we will analyze the implant installed by the attackers to maintain persistent access to 3CX's macOS build server. Then, we will dive into the malicious library that was surreptitiously slipstreamed into a malicious update and installed globally by 3CX's unsuspecting macOS enterprise users. Lastly, we'll detail the core capabilities of the self-deleting 2nd-stage payload, as well as tackle several questions it raised. The talk will conclude by highlighting heuristic methods of detection capable of thwarting various aspects of this specific attack, even without prior knowledge. Furthermore, we will demonstrate how these approaches can be leveraged to detect and mitigate future supply chain attacks as well.
"Smooth Operator" published by UKNCSC. #SmoothOperator, #3CXDesktopApp, #CTI, #OSINT, #LAZARUS https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/smooth-operator/NCSC_MAR-Smooth-Operator.pdf
"Security Update Mandiant Initial Results" published by 3CX. #SupplyChain, #UNC4736, #SmoothOperator, #TAXHAUL, #3CXDesktopApp, #CTI, #OSINT, #LAZARUS https://www.3cx.com/blog/news/mandiant-initial-results/
Tony MorbinTools, Code Used to Hack 3CX Desktop Confirm Lazarus Cyberespionage Group's Involvement https://www.bankinfosecurity.com/north-korean-lazarus-group-linked-to-3cx-supply-chain-hack-a-21597 The shellcode sequence appears to have been only used in the ICONIC loader and the APPLEJEUS malware, which is known to be linked to Lazarus. Prajeet Nair #lazarus #nkorea #3cxdesktopapp
