SEI Sphere® dives deep to investigate and defend against the 3CX supply chain compromise.
Shielding a regional bank from a cyber attack
On March 29, 2023, the client submitted a ticket inquiring about a potential supply chain compromise via a routine update in 3CX, a softphone application utilized by their bank.
Good to know: A supply chain attack leverages a trusted outside business, such as a vendor or partner, to infiltrate a company’s network.
On March 30, 2023, SEI Sphere’s security team investigated the incident using shared intelligence from our endpoint security tool and other open-source intelligence.1 The investigation confirmed malicious activity from the 3CXDesktopApp, including beaconing to actor-controlled infrastructure, deployment of payloads, and, in some cases, hands-on-keyboard activity.
By adding these indicators to our SIEM, we can see and block any future hits to the associated C2 domains via endpoint detection and observation of all proxy logs. Additionally, we added malicious hash values to our endpoint security tool to assist in preventing execution and further compromise from the known executables associated with this attack. Finally, we added a block in our endpoint security tool for the base 3CX executable to help prevent any file with this name from executing, regardless of hash value or folder location.
As businesses grow, so does reliance on outside providers, and so too does vulnerability to third-party attacks like this one. In a time when crafted attacks toward handpicked organizations are becoming the norm, it's important to have a cybersecurity provider who performs comprehensive, timely work with every inquiry. SEI Sphere defends our clients from targeted supply chain attacks, and we can do the same for you.
1SEI Sphere uses CrowdStrike's endpoint protection solution for its cybersecurity program
CrowdStrike is not affiliated with SEI or its subsidiaries.
See what we have to offer.