CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers News
02.11.2023
Cisco acquires Splunk, but how do you convince Splunk customers that Cisco has advantages
01.11.2023
CrowdStrike provides 100% coverage according to the MITRE Engenuity ATT&CK® Evaluations: round 5
31.10.2023
Top 20 Shocking Data Breach Statistics for 2023
06.09.2023
Adversaries Can “Log In with Microsoft” through the nOAuth Azure Active Directory Vulnerability
06.09.2023
iIT Distribution is the official distributor of LogRhythm!
31.08.2023
Instant replication with NAKIVO Backup & Replication v10.10 Beta
03.08.2023
Effective communication: Email vs. Instant Messaging?
25.07.2023
Infinidat Expands Support for Hybrid Cloud Storage Deployments with InfuzeOS Cloud Edition
14.07.2023
Falcon Insight for ChromeOS: The Industry’s First Native XDR Offering for ChromeOS
03.06.2023
Opening new horizons: iIT Distribution is the official distributor of Gatewatcher
13.05.2023
Another revolution in cybersecurity from CrowdStrike: top 5 important things to know about Managed XDR (MXDR)
09.05.2023
GTB Technologies is the best solution in the DLP industry
04.04.2023
CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers
24.03.2023
Labyrinth Deception Platform v2.0.51: Release notes
23.03.2023
SIEM vs Log Management Systems: What you need to know before choosing
15.03.2023
CrowdStrike Falcon Named the Winner of the 2022 AV-TEST Award for Best MacOS Security Product
10.03.2023
CrowdStrike 2023 Global Threat Report: Resilient Businesses Fight Relentless Adversaries
10.03.2023
Threema Work App Update: Encrypted Group Calls Are Now Available on Android Devices
28.02.2023
CrowdStrike Ranked #1 in the IDC Worldwide Endpoint Security Market Shares Report for Third Time in a Row
21.02.2023
Picus Red Report 2023: The Top 10 Most Prevalent MITRE ATT&CK Techniques Used by Attackers
14.02.2023
On leadership in the sphere of high-end unified storage: An exclusive interview with Phil Bullinger, CEO of Infinidat
11.02.2023
Securing PostgreSQL from Cryptojacking Campaigns in Kubernetes
30.01.2023
What's New in NAKIVO Backup & Replication v10.8: Release Overview
16.01.2023
Success Story: Georgian Bank Achieves 100% Backup Success Rate with NAKIVO
12.01.2023
CrowdStrike Named a Leader in Frost & Sullivan’s 2022 Frost Radar for Cyber Threat Intelligence
12.12.2022
DDoS Attack Prevention and DDoS Protection Best Practices
21.11.2022
How Hackers Can Bypass Multi-Factor Authentication
08.11.2022
CrowdStrike Achieves Red Hat OpenShift Certification: Streamlining Visibility and Automating Protection for OpenShift
03.11.2022
Infinidat Recognized as a Leader in Gartner Magic Quadrant for Primary Storage – 5th Year in a Row
19.10.2022
New version of NetBrain Release 11: the key to reducing the cost of NetOps
13.10.2022
With security revenue surging, CrowdStrike wants to be a broader enterprise IT player
05.10.2022
CrowdStrike Announced the Acquisition of Reposify to Bolster Visibility and Reduce Risk Exposure of External Assets
22.09.2022
Kubernetes против Docker: в чем между ними разница?
16.09.2022
Infinidat расширяет функции NVMe/TCP для сред VMware
15.09.2022
Новые возможности InfiniBox от Infinidat: vVols репликация для VMware сред
02.09.2022
Индикаторы атак на основе искусственного интеллекта позволяют максимально быстро прогнозировать и останавливать угрозы
03.08.2022
Истории с Dark Web: Отслеживание подпольной экономики eCrime улучшает эффективность киберзащиты
22.07.2022
Развитие ботнетов и DDoS-атак
15.07.2022
Lookout обнаружила шпионское ПО для Android, развернутое в Казахстане
11.07.2022
Выявление и смягчение атак NTLM-ретрансляции, нацеленных на контроллеры домена Microsoft
20.06.2022
Что такое демократизация данных?
07.06.2022
Неизменные резервные копии: что вам нужно знать, чтобы защитить свои данные
22.05.2022
Украинские Киберактивисты Использовали Скомпрометированные Docker Honeypots Для Антироссийских Dos-Атак
06.05.2022
ЧТО НОВОГО В LABYRINTH DECEPTION PLATFORM: РЕЛИЗ 2.0.32
22.04.2022
PALO ALTO NETWORKS проинформировала об уязвимостях, которые могут разрешить злоумышленникам отключить платформу CORTEX XDR
15.04.2022
INSPUR ВТОРОЙ ГОД ПОДРЯД СТАНОВИТСЯ ОБРАЗЦОВЫМ ПОСТАВЩИКОМ CLOUD-OPTIMIZED ОБОРУДОВАНИЯ ПО ВЕРСИИ GARTNER HYPE CYCLE
08.10.2020
Intelligent IT Distribution взяла участь у Третьому щорічному Міжнародному Форумі «Кібербезпека - Захистимо Бізнес, Захистимо Держава»
29.09.2020
iITD - партнер форуму “Кібербезпека - захистимо бізнес, захистимо державу” 2020
24.09.2020
Компанія IIT Distribution отримала статус дистриб’ютора рішень NetBrain Technologies на території України
28.08.2020
Fal.Con 2020 від CrowdStrike
25.08.2020
Дотримання норм страхування кіберризиків
25.08.2020
Автоматично блокуйте скомпрометовані облікові записи з Lepide Active Directory Self Service 20.1
25.08.2020
Компанія Cossack Labs запрошує відвідати NoNameCon
22.07.2020
Підписання дистриб’юторської угоди з компанією Safe-T
21.07.2020
Міжнародна конференція: "Online Banking - Час інновацій!"
18.06.2020
Глобальний звіт про кіберзагрози 2020
11.06.2020
Четвер, 25 червня 2020 року. Не пропустіть!
05.05.2020
Анонс: нова версія Acra Enterprise забезпечує підвищену гнучкість для високонавантажених систем
13.04.2020
Lepide Remote Worker Monitoring Pack - легка платформа безпеки, яка гарантує негайний захист даних бізнесу протягом непередбаченого періоду віддаленої роботи.
12.04.2020
Забезпечення кібербезпеки для віддалених користувачів
08.04.2020
Labyrinth Technologies пропонує скористатися спеціальною пропозицією - ліцензія на 12 місяців за ціною 6 місяців.
07.04.2020
«CrowdStrike: дистанційна робота та ІТ-безпеку за часів кризи - скорочена ліцензійна програма на 3-6 місяців».
23.03.2020
Компанія iIT Distribution отримала статус дистриб’ютора рішень RedSeal Networks на території України.
23.03.2020
Компанія iIT Distribution отримала статус дистриб’ютора рішень Lepide на території України.
16.03.2020
Компанія iIT Distribution починає дистрибуцію рішень CrowdStrike на території України.
19.02.2020
20 лютого у Києві відбудеться щорічна конференція CISO DX DAY 2020
18.02.2020
Компанія iIT Distribution отримала статус дистриб’ютора рішень Instana на території України.
17.02.2020
Exabeam Security Intelligence Platform допомагає
On March 29, 2023, CrowdStrike observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp — a softphone application from 3CX. The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.
The CrowdStrike Falcon® platform has behavioral preventions and atomic indicator detections targeting the abuse of 3CXDesktopApp. In addition, CrowdStrike® Falcon OverWatch™ helps customers stay vigilant against hands-on-keyboard activity.
The 3CXDesktopApp is available for Windows, macOS, Linux and mobile. At this time, activity has been observed on both Windows and macOS.
CrowdStrike Intelligence has assessed there is suspected nation-state involvement by the threat actor LABYRINTH CHOLLIMA. CrowdStrike Intelligence customers received an alert this morning on this active intrusion.
CrowdStrike Falcon Detection and Protection
The CrowdStrike Falcon platform protects customers from this attack and has coverage utilizing behavior-based indicators of attack (IOAs) and indicators of compromise (IOCs) based detections targeting malicious behaviors associated with 3CX on both macOS and Windows.
Customers should ensure that prevention policies are properly configured with Suspicious Processes enabled.
Figure 1. CrowdStrike’s indicator of attack (IOA) identifies and blocks the malicious behavior in macOS
Figure 2. CrowdStrike’s indicator of attack (IOA) identifies and blocks the malicious behavior in Windows
Hunting in the CrowdStrike Falcon Platform
Falcon Discover
CrowdStrike Falcon® Discover customers can use the following link: US-1 | US-2 | EU-1 | US-GOV-1 to look for the presence of 3CXDesktopApp in their environment.
Falcon Insight customers can assess if the 3CXDesktopApp is running in their environment with the following query:
Event Search — Application Search
event_simpleName IN (PeVersionInfo, ProcessRollup2) FileName IN ("3CXDesktopApp.exe", "3CX Desktop App")
| stats dc(aid) as endpointCount by event_platform, FileName, SHA256HashData
Falcon Long Term Repository — Application Search
#event_simpleName=/^(PeVersionInfo|ProcessRollup2)$/ AND (event_platform=Win ImageFileName=/\\3CXDesktopApp\.exe$/i) OR (event_platform=Mac ImageFileName=/\/3CX\sDesktop\sApp/i)| ImageFileName = /.+(\\|\/)(?.+)$/i| groupBy([event_platform, FileName, SHA256HashData], function=count(aid, distinct=true, as=endpointCount))
Atomic Indicators
The following domains have been observed beaconing, which should be considered an indication of malicious intent.
akamaicontainer[.]com
akamaitechcloudservices[.]com
azuredeploystore[.]com
azureonlinecloud[.]com
azureonlinestorage[.]com
dunamistrd[.]com
glcloudservice[.]com
journalide[.]org
msedgepackageinfo[.]com
msstorageazure[.]com
msstorageboxes[.]com
officeaddons[.]com
officestoragebox[.]com
pbxcloudeservices[.]com
pbxphonenetwork[.]com
pbxsources[.]com
qwepoi123098[.]com
sbmsa[.]wiki
sourceslabs[.]com
visualstudiofactory[.]com
zacharryblogs[.]com
CrowdStrike Falcon® Insight customers, regardless of retention period, can search for the presence of these domains in their environment spanning back one year using Indicator Graph: US-1 | US-2 | EU-1 | US-GOV-1.
Event Search — Domain Search
event_simpleName=DnsRequest DomainName IN (akamaicontainer.com, akamaitechcloudservices.com, azuredeploystore.com, azureonlinecloud.com, azureonlinestorage.com, dunamistrd.com, glcloudservice.com, journalide.org, msedgepackageinfo.com, msstorageazure.com, msstorageboxes.com, officeaddons.com, officestoragebox.com, pbxcloudeservices.com, pbxphonenetwork.com, pbxsources.com, qwepoi123098.com, sbmsa.wiki, sourceslabs.com, visualstudiofactory.com, zacharryblogs.com)| stats dc(aid) as endpointCount, earliest(ContextTimeStamp_decimal) as firstSeen, latest(ContextTimeStamp_decimal) as lastSeen by DomainName| convert ctime(firstSeen) ctime(lastSeen)
Falcon LTR — Domain Search
#event_simpleName=DnsRequest| in(DomainName, values=[akamaicontainer.com, akamaitechcloudservices.com, azuredeploystore.com, azureonlinecloud.com, azureonlinestorage.com, dunamistrd.com, glcloudservice.com, journalide.org, msedgepackageinfo.com, msstorageazure.com, msstorageboxes.com, officeaddons.com, officestoragebox.com, pbxcloudeservices.com, pbxphonenetwork.com, pbxsources.com, qwepoi123098.com, sbmsa.wiki, sourceslabs.com, visualstudiofactory.com, zacharryblogs.com])| groupBy([DomainName], function=([count(aid, distinct=true, as=endpointCount), min(ContextTimeStamp, as=firstSeen), max(ContextTimeStamp, as=lastSeen)]))| firstSeen := firstSeen * 1000 | formatTime(format="%F %T.%L", field=firstSeen, as="firstSeen")| lastSeen := lastSeen * 1000 | formatTime(format="%F %T.%L", field=lastSeen, as="lastSeen")| sort(endpointCount, order=desc)
File Details
| SHA256 | Operating System | Installer SHA256 | Filename |
|---|---|---|---|
| dde03348075512796241389dfea5560c20 a3d2a2eac95c894e7bbed5e85a0acc | Windows | aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a 8edcf9be345823b4fdcf5d868 | 3cxdesktopapp-18.12.407.msi |
| fad482ded2e25ce9e1dd3d3ecc3227af714b dfbbde04347dbc1b21d6a3670405 | Windows | 59e1edf4d82fae4978e97512b0331b7eb21dd4 b838b850ba46794d9c7a2c0983 | 3cxdesktopapp-18.12.416.msi |
| 92005051ae314d61074ed94a52e76b1c3e21 e7f0e8c1d1fdd497a006ce45fa61 | macOS | 5407cda7d3a75e7b1e030b1f33337a56f29357 8ffa8b3ae19c671051ed314290 | 3CXDesktopApp-18.11.1213.dmg |
| b86c695822013483fa4e2dfdf712c5ee777d7 b99cbad8c2fa2274b133481eadb | macOS | e6bbc33815b9f20b0cf832d7401dd893fbc467 c800728b5891336706da0dbcec | 3cxdesktopapp-latest.dmg |
Recommendations
The current recommendation for all CrowdStrike customers is:
- Locate the presence of 3CXDesktopApp software in your environment by using the queries outlined above.
- Ensure Falcon is deployed to applicable systems.
- Ensure “Suspicious Processes” is enabled in applicable Prevention Policies.
- Hunt for historical presence of atomic indicators in third-party tooling (if available).
UPDATE
After review and reverse engineering by the CrowdStrike Intelligence team, the signed MSI (aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868) is malicious.
The MSI will drop three files, with the primary fulcrum being the compromised binary ffmpeg.dll (7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896).
Once active, the HTTPS beacon structure and encryption key match those observed by CrowdStrike in a March 7, 2023 campaign attributed with high confidence to DPRK-nexus threat actor LABYRINTH CHOLLIMA.
All Falcon customers can view our actor profile on LABYRINTH CHOLLIMA (US-1 | US-2 | EU-1 | US-GOV-1)
CrowdStrike recommends removing the 3CX software from endpoints until advised by the vendor that future installers and builds are safe.
Falcon Spotlight customers can search for CVE-2023-3CX to identify vulnerable versions of 3CX software. Spotlight will automatically highlight this vulnerability in your vulnerability feed.
iIT Distribution is the official distributor of CrowdStrike solutions. Our partners, clients, and organizations of all sizes can get access to highly effective CrowdStrike products by requesting a trial version on our website. Stay safe and secure!
Back
Russian 
English