Supply Chain Attack Blamed for Triggering 3CX Breach, Thousands of User Accounts Compromised

• Written by Ari Denial Cybersecurity & Tech Writer

According to cybersecurity company Mandiant, the recent 3CX supply chain attack, which involved the abuse of popular voice-over-internet-protocol (VOIP) software, was triggered by an earlier supply chain attack against Trading Technologies’ futures trading software.

The researchers suspect that the attackers distributed malware through Trading Technologies’ software to pave the way for the 3CX attack. The initial attack allowed the perpetrators to spread a malicious payload through 3CX and compromise thousands of user accounts.

Mandiant assisted 3CX in its investigation of the recent supply chain attack, has revealed that the malicious installer for Trading Technologies’ X_TRADER software was responsible for deploying a multi-stage modular backdoor named VEILEDSIGNAL.

The backdoor was designed to execute shellcode, inject a communication module into web browsers like Chrome, Firefox, or Edge, and terminate itself. Mandiant discovered that the attackers, tracked as UNC4736, stole corporate credentials from an employee’s personal computer and used them to move laterally through 3CX’s network, eventually breaching both the Windows and macOS build environments.

The attackers then deployed the TAXHAUL launcher and COLDCAT downloader on the Windows build environment, which persisted through DLL hijacking for the IKEEXT service and ran with LocalSystem privileges.

The cybersecurity firm has revealed that the macOS build server was compromised with the POOLRAT backdoor, which used LaunchDaemons as a persistence mechanism, and achieved persistence through DLL side-loading. The malware granted attackers remote access to all compromised devices over the internet. Mandiant has also associated UNC4736 with two clusters of APT43 suspected malicious activity, UNC3782 and UNC4469.

3CX Phone System, which has over 12 million daily users and is used by more than 600,000 businesses globally, including high-profile organizations such as McDonald’s, Coca-Cola, and American Express was compromised in a supply chain attack, according to Mandiant.

The cybersecurity firm said this was the first software supply chain compromise to have led to another software supply chain compromise, demonstrating the potential reach of this type of attack, especially when a threat actor can chain intrusions as demonstrated in this investigation.

Ex-Conti and FIN7 Cybercrime Gangs Unite to Launch Domino Malware

• Written by Ari Denial Cybersecurity & Tech Writer

In what appears to be a coordinated effort between the FIN7 and Ex-Conti cybercrime gangs, a newly developed malware strain called “Domino” has emerged.

This collaboration suggests that the two groups have joined forces, with the now-defunct Conti ransomware gang using the malware. Domino’s primary purpose is to aid in subsequent exploitation of compromised systems, and it includes an information stealer that has been available for purchase on the dark web since December 2021, but not widely known.

According to a recently released IBM report, the FIN7 hacking group, which has connections to numerous types of malware as well as the BlackBasta and DarkSide ransomware operations, was responsible for developing the Domino malware.

IBM researchers have discovered that the ‘Dave Loader’ malware loader has been linked to former members of the Conti ransomware and TrickBot groups, deploying Cobalt Strike beacons and Emotet.

However, recently it has been observed installing the new ‘Domino’ malware family, which includes a backdoor and an embedded .NET info-stealer called ‘Nemesis Project.’ The researchers speculate that the backdoor may download more sophisticated malware like Cobalt Strike for high-value targets.

Threat actors often collaborate with other groups to distribute malware and gain initial access to corporate networks, with ransomware gangs like REvil, Maze, and Conti relying on the likes of TrickBot and Emotet. With the disbanding of Conti, smaller cells have emerged, including BlackBasta, LockBit, and Quantum. IBM has linked the Domino malware family to FIN7, as it shares a code overlap with Lizar, and a loader named ‘NewWorldOrder’ was used to distribute the malware.

The Dave Loader malware, associated with TrickBot/Conti, has been observed pushing the Domino malware, linked to FIN7, which then deploys Project Nemesis or Cobalt Strike beacons associated with ex-Conti ransomware activity. This complicated partnership among threat actors creates challenges for defenders who need to address multiple malware strains that enable remote access to networks.