Everyday is lazarus.dayβ

Splunk Insights: Investigating the 3CXDesktopApp Supply Chain Compromise

2023-03-31, Splunk
#SupplyChain #3CXDesktopApp #SmoothOperator


CrowdStrike announced on 3/29/2023 that an active intrusion campaign was targeting 3CX customers utilizing a legitimate, signed binary, 3CXDesktopApp (CISA link). As the investigations and public information came out publicly from vendors all across the spectrum, C3X customers of all sizes began investigating their fleet for signs of compromise. These campaigns are often referred to as supply chain compromises, or MITRE ATT&CK T1195. The most notable of these attacks which brought supply chain security to the forefront of most organizations’ security posture was SolarWinds. A notable learning of dealing with the Solarwinds vulnerability was the difficulty associated with identifying supply chain compromises at the source. For the 3CXDesktopApp, it all began after a 7 day sleep that the compromised software version began to trigger different anti-virus products and showed suspicious behaviors in EDR products.
Organization defenders must consider attack surface comprising both endpoint and network. Utilizing our defense in depth approach, …