Cryptocurrency Firms Targeted in Advanced 3CX Supply Chain Attack
On April 4, 2023, cybersecurity reports emerged detailing a sophisticated supply chain attack targeting the 3CX communication software, with a specific focus on a select group of cryptocurrency companies. The cyber threat actors employed a second-stage implant, which has been internally tracked by Russian cybersecurity firm Kaspersky under the designation Gopuram since its discovery in 2020. Kaspersky noted a significant uptick in infections reported in March 2023, coinciding closely with the 3CX breach.
Gopuram functions primarily as a backdoor that connects to a command-and-control (C2) server, awaiting directives that enable the attackers to manipulate the victim’s file system, initiate processes, and execute up to eight in-memory modules. The attack reflects a concerning trend in which cryptocurrency firms become prime targets for cybercriminals. Notably, the Gopuram implant has shown links to the well-known North Korean cyber threat actor Lazarus, particularly through its co-occurrence with the AppleJeus backdoor. This connection suggests a history of coordinated attacks against the cryptocurrency sector, including an incident in 2020 involving a Southeast Asian crypto firm.
The primary targets of this attack are cryptocurrency companies, indicating that cyber adversaries continue to exploit this burgeoning market. Given the lucrative nature of cryptocurrencies and their ever-increasing adoption, it is clear that they attract the attention of sophisticated threat actors.
The implications of this supply chain vulnerability raise significant questions regarding cybersecurity practices within organizations relying on third-party software. The tactics and techniques likely employed by the attackers align with the MITRE ATT&CK framework, particularly in categories such as initial access, persistence, and privilege escalation. Initial access may have been achieved via compromised software updates, while persistence could be maintained through the Gopuram implant, allowing attackers continued access to the network.
Furthermore, privilege escalation is a critical aspect of this attack, enabling the adversaries to maneuver within the compromised systems and access sensitive data. This incident serves as a stark reminder of the threats posed by supply chain vulnerabilities and the need for robust security measures, particularly for companies operating in high-stakes sectors like cryptocurrency.
As the landscape of cyber threats continues to evolve, business owners must remain vigilant. Understanding the tactics employed by adversaries and preparing defenses against such attacks is paramount. Investing in strong cybersecurity measures and staying informed about potential vulnerabilities can help mitigate risks and protect sensitive assets in this increasingly perilous digital environment.
