3CXDesktopApp Supply Chain Attack

### 3CXDesktopApp Supply Chain Attack #### Executive Summary On March 29, 2023, CrowdStrike [released a blog](https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/) discussing a supply chain attack involving a software-based phone application called [3CXDesktopApp](https://www.3cx.com/). As of March 30, the 3CXDesktopApp installer hosted on the developer’s website will install the application with two malicious libraries included. The malicious libraries will ultimately run shellcode to load a backdoor on the system that allows actors to install additional malware on the victim machine. Between March 9-30, 2023, we observed activity at 127 Cortex XDR customers that involved the 3CXDesktopApp process attempting to run shellcode, which was blocked by the XDR Agent’s In-process Shellcode Protection Module. Due to blocking the shellcode, we were unable to obtain the secondary payload used in this attack, so we cannot determine its capabilities or any post-exploitation activities carried out by the threat actor. #### Affected Products According to 3CX’s announcement, the supply chain attack involved 3CX’s Electron Windows App shipped in Update 7, version numbers 18.12.407 & 18.12.416 and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 & 18.12.416. #### Playbook Flow **This playbook should be triggered manually or can be configured as a job.** Please create a new incident and choose the 3CXDesktopApp Supply Chain Attack playbook and Rapid Breach Response incident type. **The playbook includes the following tasks:** **Hunting:** - Cortex XDR - XQL hunting queries - Advanced SIEM queries - Splunk - QRadar - Elasticsearch - Azure Log Analytics - Indicators hunting **References:** [Threat Brief: 3CXDesktopApp Supply Chain Attack](https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/) [CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers](https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/) Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

3CXDesktopApp Supply Chain Attack · 55 tasks · 8 inputs · 0 outputs

Inputs

  • PlaybookDescription — The playbook description to be used in the Rapid Breach Response - Set Incident Info sub-playbook.
  • autoBlockIndicators — Whether to block the indicators automatically.
  • QRadarTimeRange — The time range to search for indicators in the Threat Hunting - Generic playbook.
  • SplunkEarliestTime — The earliest time to search for indicators in the Threat Hunting - Generic playbook.
  • SplunkLatestTime — The latest time to search for indicators in the Threat Hunting - Generic playbook.
  • XQLTimeRange — The time range for the Cortex XDR XQL query.
  • excludeIndicators — List of indicators to exclude.
  • elasticSearchIndex — The index to search over using elastic query.

Commands used

associateIndicatorsToIncident azure-log-analytics-execute-query closeInvestigation createNewIndicator es-search extractIndicators qradar-search-retrieve-events splunk-search xdr-xql-generic-query

Flowchart

Yes Yes Yes yes yes yes No Yes Start Start Collect Indicators Collect Indicators Collect IoCs from Huntress - ParseHTMLIndicators Collect IoCs from Huntress ParseHTMLIndicators Download Sigma Rules Download Sigma Rules Download Yara rules - HttpV2 Download Yara rules HttpV2 Collect IoCs from CrowdStrike - ParseHTMLIndicators Collect IoCs from CrowdSt... ParseHTMLIndicators Potential Compromised 3CXDesktopApp ICO C2 File Download - HttpV2 Potential Compromised 3CX... HttpV2 Extract Indicators Extract Indicators Extract indicators from collected data - extractIndicators Extract indicators from c... extractIndicators Tag and Link Indicators Tag and Link Indicators Link indicators to incident - associateIndicatorsToIncident Link indicators to incident associateIndicatorsToIncident Tag File indicators - createNewIndicator Tag File indicators createNewIndicator Tag Domain indicators - createNewIndicator Tag Domain indicators createNewIndicator Tag URL indicators - createNewIndicator Tag URL indicators createNewIndicator Set Rapid Breach Response Layout Set Rapid Breach Response... Rapid Breach Response - Set Incident Info - Rapid Breach Response - Set Incident Info Rapid Breach Response - S... Rapid Breach Response - Set I... Threat Hunting Threat Hunting SIEM Advanced Hunting SIEM Advanced Hunting Is Splunk Enabled? Is Splunk Enabled? Is QRadar Enabled? Is QRadar Enabled? Is Elasticsearch Enabled? Is Elasticsearch Enabled? Is Azure Log Analytics Enabled? Is Azure Log Analytics En... Potential Suspicious Child Process Of 3CXDesktopApp - azure-log-analytics-execute-query Potential Suspicious Chil... azure-log-analytics-execute-q... Potential 3CX 3CXDesktopApp Compromise Beaconing Activity - splunk-search Potential 3CX 3CXDesktopA... splunk-search Cortex XDR - XQL Hunting Cortex XDR - XQL Hunting Detect execution of 3cx application "3CXDesktopApp.exe" - xdr-xql-generic-query Detect execution of 3cx a... xdr-xql-generic-query Is Cortex XDR XQL Query Engine Enabled? Is Cortex XDR XQL Query E... Detect network connections to known c2 domains - xdr-xql-generic-query Detect network connection... xdr-xql-generic-query Potential 3CX 3CXDesktopApp Compromise Beaconing Activity - azure-log-analytics-execute-query Potential 3CX 3CXDesktopA... azure-log-analytics-execute-q... Potential Compromised 3CXDesktopApp Activity - azure-log-analytics-execute-query Potential Compromised 3CX... azure-log-analytics-execute-q... Potential Compromised 3CXDesktopApp Activity - splunk-search Potential Compromised 3CX... splunk-search Potential Suspicious Child Process Of 3CXDesktopApp - splunk-search Potential Suspicious Chil... splunk-search Potential Suspicious Child Process Of 3CXDesktopApp - es-search Potential Suspicious Chil... es-search Potential Compromised 3CXDesktopApp Activity - es-search Potential Compromised 3CX... es-search Potential 3CX 3CXDesktopApp Compromise Beaconing Activity - es-search Potential 3CX 3CXDesktopA... es-search Threat Hunting - Generic - Threat Hunting - Generic Threat Hunting - Generic Threat Hunting - Generic Should block indicators automatically? Should block indicators a... Block Indicators - Generic v3 - Block Indicators - Generic v3 Block Indicators - Generi... Block Indicators - Generic v3 Handle indicators manually Handle indicators manually Remediation Remediation Indicators Hunting Indicators Hunting Investigate further Investigate further Done Done Should continue with the investigation? Should continue with the ... Resolution Resolution Close investigation - closeInvestigation Close investigation closeInvestigation Mitigation Mitigation Deploy Yara rules Deploy Yara rules Deploy Sigma rules Deploy Sigma rules Collect IoCs from Unit42 - ParseHTMLIndicators Collect IoCs from Unit42 ParseHTMLIndicators Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy - HttpV2 Potential Compromised 3CX... HttpV2 Download Yara Rules Download Yara Rules qradar-search-retrieve-events - qradar-search-retrieve-events qradar-search-retrieve-ev... qradar-search-retrieve-events qradar-search-retrieve-events - qradar-search-retrieve-events qradar-search-retrieve-ev... qradar-search-retrieve-events qradar-search-retrieve-events - qradar-search-retrieve-events qradar-search-retrieve-ev... qradar-search-retrieve-events