Splunk Insights: Investigating the 3CXDesktopApp Supply Chain Compromise
Contents
CrowdStrike announced on 3/29/2023 that an active intrusion campaign was targeting 3CX customers utilizing a legitimate, signed binary, 3CXDesktopApp (CISA link). As the investigations and public information came out publicly from vendors all across the spectrum, C3X customers of all sizes began investigating their fleet for signs of compromise. These campaigns are often referred to as supply chain compromises, or MITRE ATT&CK T1195. The most notable of these attacks which brought supply chain security to the forefront of most organizations’ security posture was SolarWinds. A notable learning of dealing with the Solarwinds vulnerability was the difficulty associated with identifying supply chain compromises at the source. For the 3CXDesktopApp, it all began after a 7 day sleep that the compromised software version began to trigger different anti-virus products and showed suspicious behaviors in EDR products.
Organization defenders must consider attack surface comprising both endpoint and network. Utilizing our defense in depth approach, …
Organization defenders must consider attack surface comprising both endpoint and network. Utilizing our defense in depth approach, …
IoC
11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03
5c54932fdbb077d73c58ac41a1ad3f6ea5576b3e1f719c8b714b637c9ceb361b
7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02
https://akamaitechcloudservices.com/v2/storage
https://azuredeploystore.com/cloud/services
https://azureonlinestorage.com/azure/storage
https://glcloudservice.com/v1/console
https://msedgepackageinfo.com/microsoft-edge
https://msstorageazure.com/window
https://msstorageboxes.com/office
https://officeaddons.com/technologies
https://officestoragebox.com/api/session
https://pbxsources.com/exchange
https://raw.githubusercontent.com/IconStorages/images/main/icon%d.ico|
https://sourceslabs.com/downloads
https://visualstudiofactory.com/workload
5c54932fdbb077d73c58ac41a1ad3f6ea5576b3e1f719c8b714b637c9ceb361b
7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02
https://akamaitechcloudservices.com/v2/storage
https://azuredeploystore.com/cloud/services
https://azureonlinestorage.com/azure/storage
https://glcloudservice.com/v1/console
https://msedgepackageinfo.com/microsoft-edge
https://msstorageazure.com/window
https://msstorageboxes.com/office
https://officeaddons.com/technologies
https://officestoragebox.com/api/session
https://pbxsources.com/exchange
https://raw.githubusercontent.com/IconStorages/images/main/icon%d.ico|
https://sourceslabs.com/downloads
https://visualstudiofactory.com/workload