Analytics Story: 3CX Supply Chain Attack
Description
On March 29, 2023, CrowdStrike Falcon OverWatch observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp, a softphone application from 3CX. The malicious activity includes beaconing to actor controlled infrastructure, deployment of second stage payloads, and, in a small number of cases, hands on keyboard activity. (CrowdStrike)
Why it matters
On March 22, 2023, cybersecurity firm SentinelOne observed a surge in behavioral detections of trojanized 3CXDesktopApp installers, a popular PABX voice and video conferencing software. The multi-stage attack chain, which automatically quarantines trojanized installers, involves downloading ICO files with base64 data from GitHub and eventually leads to a 3rd stage infostealer DLL that is still under analysis. While the Mac installer remains unconfirmed as trojanized, ongoing investigations are also examining other potentially compromised applications, such as Chrome extensions. The threat actor behind the supply chain compromise, which started in February 2022, has used a code signing certificate to sign the trojanized binaries, but connections to existing threat clusters remain unclear. SentinelOne updated their IOCs on March 30th, 2023, with contributions from the research community and continues to monitor the situation for further developments. 3CX identified the vulnerability in the recent versions 18.12.407 and 18.12.416 for the desktop app. A new certificate for the app will also be produced.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 1 |  Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 22 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4663 | Windows |
xmlwineventlog |
XmlWinEventLog:Security |
| Windows Event Log Security 4688 | Windows |
xmlwineventlog |
XmlWinEventLog:Security |
References
- https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
- https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp
- https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
- https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898
- https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/
- https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack
- https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/
Source: GitHub | Version: 1