Recommendations and Lessons Learned from the 3CX Attack (2023)
TL; DR
Following the recent supply chain attack upon 3CX that was detected in late March, follow the links below to determine the appropriate response actions, how to tell if your environment was affected and mitigation/prevention advice.
========================
Getting Started
If you use 3CX software within your organisation, if you have not already done so, follow the advice within the 3CX advisories listed below. Depending upon the size of your environment, you may have a small group of systems to remediate or perhaps many systems across your organisation:
In summary you will be removing the 3CX Electron Desktop Application (if in use), switching to the 3CX progressive web app and checking your environment with your anti-malware and EDR solutions for signs of compromise and remediating any compromised systems:
========================
Checking for signs of compromise
Make use of your EDR solutions and a SIEM (if available) to search for the IOCs listed within the following links isolating and cleaning any systems which are found to be compromised.
Monitor your systems using your EDR, SIEM and IPS to look for and act upon any suspicious events such as data exfiltration attempts or attempts to connect to known unsafe sites or IP addresses:
Indicators of Compromise (IOCs)
?
?
IOCs specific to the Gopuram malware
?
YARA rules (for malware detection)
领英推荐
?
Threat hunting information specific to the Sophos XDR
========================
Further recommendations
1.??????Consider deploying the opt-in Microsoft fix for the vulnerability leveraged within the 3CX attack, namely CVE-2013-3900. Recently upgraded systems should also be checked to verify this fix is in place. While Symantec and other sources note this fix is not suitable for all systems and environments, it should still be employed on systems where possible. While the fix would not have prevented the 3CX compromise, it would have made detection simpler. While the fix is not perfect it is a step in the right direction.
2.??????Once you are certain your environment is free of malware from this attack, if your organisation develops software consider conducting checks of your software supply chain to verify all parts of it are secure.
3.??????If you use open source components in your software, consider creating a software bill of materials which may be useful in future to show which software is built from which components should any be affected by software vulnerabilities in the future and assist in responding faster to any potential compromises.
Thank you.
========================
References
Very detailed and instructive post. Didn't see yet articles providing a list of software impacted by the registry key to add to remediate CVE-2013-3900. Seems also Microsoft is not yet providing detection for this CVE through MDE. I guess they're worried about having the explain that this 10 year old CVE impacts all Windows systems - so becomes Top 1 vulnerability - and the registry key suggested will block some popular software.
Fantastic write up James Collins - always enjoyed your first hand threat intel updates and as is echoed by so many ?? well done