CrowdStrike’s Falcon to the Rescue – Safeguarding Systems from Active Intrusions 

Blog Reading Time 4 Min Read
/
May 19, 2023
/
By: Ravindu Lakmina

Introduction 

In today’s interconnected business environment, cyberattacks, and threats can pose a significant risk to organizational security. These attacks can target a company’s sensitive data, financial resources, and reputation, causing irreparable damage. 

The popular desktop software 3CX was compromised by threat actors in the supply chain of the software delivered to millions of customers through software updates that also led to large-scale cyber-attacks. 

Cyberattacks on organizations can come in many forms, such as ransomware attacks, where hackers lock down a company’s systems and demand payment for their release, or phishing attacks, where malicious actors send emails posing as legitimate sources to trick employees into disclosing sensitive information. Insider threats are also a concern, where employees or contractors with authorized access to the company’s systems intentionally or unintentionally cause harm to the organization. 

The consequences of a successful cyber-attack on an organization can be severe. They can result in the loss of critical data, disruption of operations, financial loss, and reputational damage. Such incidents can even lead to legal and regulatory consequences. 

To protect against these threats, organizations must take proactive steps to secure their systems and networks. This includes implementing robust cybersecurity measures, such as firewalls, intrusion detection and prevention systems, and regular security audits. It is also essential to establish policies and procedures to ensure that employees are trained to identify and report suspicious activity promptly. 

In addition, supply chain assaults pose significant challenges for cybersecurity experts, as they regularly include advanced strategies and exploit different attack vectors to evade detection. 

Within the case of the 3CX Desktop App interruption, the exploitation of zero-day vulnerability highlighted the requirement for proactive security measures, including vulnerability management, patch management, and threat intelligence, to recognize and mitigate developing dangers that can be discovered and abused by malicious actors before the vendor does. 

What are Supply Chain Attacks? 

Supply chain attacks in cybersecurity refer to a type of cyber-attack that targets the software or hardware supply chain with the goal of compromising a larger organization or system that relies on that supply chain. 

These attacks can occur at any point in the supply chain, from hardware components to software applications, and they can take various forms. For example, attackers may insert malicious code into legitimate software or firmware updates, compromise a vendor’s development environment to inject malware into the code or intercept and modify shipments of hardware or software. 

Supply chain attacks are particularly concerning because they can have far-reaching and long-lasting impacts, as they can compromise many organizations and individuals who use the affected products or services. They can also be difficult to detect and mitigate, as the attack may occur at a point in the supply chain that is outside the control of the targeted organization. 

Recent high-profile examples of supply chain attacks include the 3CX Desktop App attack in 2023, which impacted numerous companies and organizations, and the Kaseya ransomware attack in 2021, which affected hundreds of businesses worldwide. 

3CX Desktop App Intrusion 

The 3CX application is software for private automatic branch exchange (PABX) that offers various communication features to its users, such as call management, live chat, and video conferencing. It can be accessed on numerous operating systems, including macOS, Windows, and Linux. Moreover, it also has a mobile app version that is compatible with both iOS and Android devices. Users can also access the software through their browsers using a Chrome extension and the PWA version of the client. 

A hacked version of the 3CX desktop program is said to be the first step in a multi-stage assault chain. According to the initial investigation, the MSI package, which Trend Micro identified as Trojan.Win64. DEEFFACE.A and Trojan.Win64.DEEFFACE.SMA, is the one that might have included trojanized DLLs because the.exe file also goes by that name. 

The first step in the infection chain is the loading of ffmpeg.dll by 3CXDesktopApp.exe, which is flagged as Trojan.Win64. DEEFFACE.A and Trojan.Win64.DEEFFACE.SMA. The encrypted code from d3dcompiler_47.dll (identified as Trojan.Win64. DEEFACE.A and Trojan.Win64. DEEFACE.SMD3D) is then read and decrypted by ffmpeg.dll. 

CrowdStrike identified a malicious activity of the 3CX Desktop app with CrowdStrike Falcon Platform on 29th March 2023. With the help of behavioral based IOAs, CrowdStrike identified the malicious activity at the first attempt. The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and in a small number of cases, hands-on-keyboard activity. CrowdStrike reported that a nation state threat actor named LABYRINTH CHOLLIMA is suspected of this supply chain attack.  

Customers are protected from this assault by the CrowdStrike Falcon platform, which includes behavior-based indicators of attack (IOAs) and indicators of compromise (IOCs) based detections that target 3CX-related harmful behaviors on both macOS and Windows. Customers should make sure that Suspicious Processes are enabled and that preventive policies are properly configured. 

Falcon Spotlight customers can search for CVE-2023-3CX to identify vulnerable versions of 3CX software. Spotlight will automatically highlight this vulnerability in your vulnerability feed. 

If possible, organizations that could be impacted should stop using the vulnerable version while applying any patches or mitigation workarounds that are available. Additionally, with a focus on C&C traffic, IT and security teams should scan for confirmed compromised binaries and builds and keep an eye out for odd behavior in 3CX processes. While this is happening, enabling behavioral monitoring in security products can aid in identifying the attack’s presence within the system. 

What is CrowdStrike and how can it help you protect from Cyber Attacks? 

CrowdStrike is a global cybersecurity leader with an advanced cloud-native platform for protecting endpoints, cloud workloads, identities, and data. They offer a wide range of cyber security solutions to protect endpoints worldwide. With its enhanced endpoint security solution portfolio, CrowdStrike offers best-in-class XDR, EDR, next-generation AV, device control, and firewall management by utilizing cloud-scale AI and deep link analytics. CrowdStrike’s services focus on proactive and incident response services. 

By providing valuable context on the who, what, and how of a security alert, CrowdStrike’s threat intel provides advanced protection and supports an adversary-focused approach to security. Threat intelligence from CrowdStrike Falcon® is included in all Falcon modules and made available as part of ongoing risk scoring, attack attribution, and tools to explore the threat more thoroughly through malware search and analysis. 

It is always important to monitor and detect real time security incidents in your organization to avoid critical cyber-attacks. Building a strong security posture helps to understand the current state of the security measures of the organization. 

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.