Supply chain
β Supply Chain
Mandiant / Google Cloud Blog / Krebs on Security
Primary Source βIncident Details
Lazarus Group (North Korea, subunit Labyrinth Chollima) trojanized 3CX DesktopApp versions 18.12.407 and 18.12.416 for Windows and Mac. Delivered SUDDENICON downloader which fetched encrypted C2 from icon files hosted on GitHub, then dropped ICONICSTEALER browser info-stealer. 3CX serves 600,000+ companies with up to 12M daily users (Toyota, Mercedes, Coca-Cola, NHS). Double supply chain: initial infection traced back to compromised Trading Technologies X_TRADER software. Targeted cryptocurrency firms.
Technical Details
- Initial Attack Vector
- CWE-506: Embedded Malicious Code (malicious DLL sideloaded into 3CX DesktopApp installer; itself seeded via poisoned Trading Technologies X_TRADER installer)
- Vendor / Product
- 3CX DesktopApp
- Software Package
3CX DesktopApp- Malware Family
- SUDDENICON downloader / ICONICSTEALER infostealer
- CVE / GHSA References
- CVE-2023-29059
- Supply Chain Attack
- β Confirmed third-party / vendor compromise
Timeline
- 2023-03-16 Breach occurred
- 2023-03-29 Publicly disclosed
- 2023-03-30 Customers notified