Shielding a regional bank from a cyber attack

Home
Solutions

Technology
Powering the future of wealth with enterprise platform solutions that address complex business challenges

Operations
Achieving operational excellence with business process outsourcing and data management that help clients improve efficiency and performance

Asset management
Connecting investors to what matters most, so they can achieve their goals and make confident decisions

Featured
Insights

Corporate insights
Perspectives and happenings from our leaders and experts

Newsroom
The latest news and announcements

Featured
Investor relations

Overview
The latest financial information for shareholders

Events and webcasts
Timely shareholder announcements and event information

Governance

Reports and filings

Stock information

Board diversity matrix

Featured
Discover SEI ^®

Our story
Who we are, what we do, and how we do it.

Our commitment
Building brave futures through the power of connection.

Our leadership team

Newsroom

Careers

Featured

November 8, 2023

3 MIN READ

Client profile

Award-winning, locally owned bank with six locations
Over $800 million in assets
More than 130 employees; a small IT staff
Partners with SEI Sphere for cybersecurity and cloud services

Initial inquiry

On March 29, 2023, the client submitted a ticket inquiring about a potential supply chain compromise via a routine update in 3CX, a softphone application utilized by their bank.

Good to know: A supply chain attack leverages a trusted outside business, such as a vendor or partner, to infiltrate a company’s network.

A thorough approach

On March 30, 2023, SEI Sphere’s security team investigated the incident using shared intelligence from our endpoint security tool and other open-source intelligence.¹ The investigation confirmed malicious activity from the 3CXDesktopApp, including beaconing to actor-controlled infrastructure, deployment of payloads, and, in some cases, hands-on-keyboard activity.

We immediately ran command and control (C2) indicators and hash values (numerical values that uniquely identify data) through our custom-built security information and event management (SIEM) tool to determine if any were observed in our clients’ environments, and one hash indicator matched. SEI Sphere security staff working earlier that morning in India had already added C2 domains. We also added the values to our firewall block list to prevent outbound communication for all clients.
We ran recommended threat-hunting queries in event search to validate the full extent of this application in client environments.
We discovered additional C2 indicators not originally reported by our endpoint security tool from our community of open-source intelligence channels and added these to our SIEM and proxy blocks.
To further investigate the attack, we downloaded malicious executables and ran them in a lab environment in an attempt to follow the attack from execution to compromise. This was not successful, as the attack appeared to be targeted toward specific entities.

A strong position

By adding these indicators to our SIEM, we can see and block any future hits to the associated C2 domains via endpoint detection and observation of all proxy logs. Additionally, we added malicious hash values to our endpoint security tool to assist in preventing execution and further compromise from the known executables associated with this attack. Finally, we added a block in our endpoint security tool for the base 3CX executable to help prevent any file with this name from executing, regardless of hash value or folder location.

Common attack, targeted plan

As businesses grow, so does reliance on outside providers, and so too does vulnerability to third-party attacks like this one. In a time when crafted attacks toward handpicked organizations are becoming the norm, it's important to have a cybersecurity provider who performs comprehensive, timely work with every inquiry. SEI Sphere defends our clients from targeted supply chain attacks, and we can do the same for you.

¹SEI Sphere uses CrowdStrike's endpoint protection solution for its cybersecurity program

CrowdStrike is not affiliated with SEI or its subsidiaries.

Explore our solutions

See what SEI Sphere has to offer.

Take a look

Let's connect

Learn more about how we can help enhance your cybersecurity posture.