Supply chain attacks are some of the most damaging cybersecurity incidents, capable of infecting a massive number of unsuspecting users and companies through widely used and trusted software. And although the majority of such attacks impact Windows-based computers, the recent nation-state attack against the popular PBX software provider 3CX, was also capable of infecting macOS systems.
Believed to be the first "chained" supply chain attack (where initial access to 3CX was gained via a separate supply chain attack), this talk will focus on its macOS payloads. To start, we will analyze the implant installed by the attackers to maintain persistent access to 3CX's macOS build server. Then, we will dive into the malicious library that was surreptitiously slipstreamed into a malicious update and installed globally by 3CX's unsuspecting macOS enterprise users. Lastly, we'll detail the core capabilities of the self-deleting 2nd-stage payload, as well as tackle several questions it raised.
The talk will conclude by highlighting heuristic methods of detection capable of thwarting various aspects of this specific attack, even without prior knowledge. Furthermore, we will demonstrate how these approaches can be leveraged to detect and mitigate future supply chain attacks as well.