CTI Flash Briefing: CrowdStrike Tracking Active Intrusion Campaign Targeting 3CX Customers
Breakdown
Anyone using the softphone application 3CXDesktopApp from 3CX needs to monitor for any type of anomalous activity on their systems. We would also recommend following the threat hunting process from Crowdstrike’s Reddit posting on this event. If you are not a Crowdstrike customer with their toolset, you can still use your own security tools to search for the listed Indicators of Compromise.
Overview
Crowdstrike posted on Reddit earlier this morning that they are tracking malicious activity in their threat monitoring systems from the 3CXDesktopApp. This is still a developing event but they wanted to warn the community as soon as possible for anyone seeing malicious activity on their organization’s IT systems.
Crowdstrike’s blog details:
On March 29, 2023, Falcon OverWatch observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp — a softphone application from 3CX. The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.
The 3CXDesktopApp is available for Windows, macOS, Linux, and mobile. At time of writing, activity has been observed on both Windows and macOS.
This is a dynamic situation and updates will be provided here as they become available. CrowdStrike’s Intelligence Team is in contact with 3CX. There is suspected nation-state involvement by the threat actor LABYRINTH CHOLLIMA.
The article covers all the detection and prevention details to threat hunt for this in your own environment. The article has a link to their support portal if you are a customer in need of assistance.
At the bottom it also has links to further details on the suspected APT group potentially behind this attack, the APT group Crowdstrike refers to as LABYRINTH CHOLLIMA. Those links do require customer portal access, please refer to this blog if you are not a current customer.
Crowdstrike Recommendations
Current recommendation’s from Crowdstrike’s team:
1. Locate the presence of 3CXDesktopApp software in your environment by using the queries outlined above.
2. Ensure Falcon is deployed to applicable systems.
3. Ensure “Suspicious Processes” is enabled in applicable Prevention Policies.
4. Hunt for historical presence of atomic indicators in third-party tooling (if available).
Conclusion
If you are a SOC customer, our SOC Analysts will be happy to be of assistance determining best steps to research for this threat. If you have any questions on this on-going event or need any level of security assistance, please reach out to Hunter Strategy and we will be happy to discuss next steps and securing your IT systems!
Contact Us
contact@hunterstrategy.net
