Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Automated Rapid Response to 3CXDesktopApp Supply Chain Attack

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Community Team Member

Automated Rapid Response 3CXDesktopApp.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This blog was written by Jane Goh

 

3CXDesktopApp Supply Chain Attack Rapid Response

 

A supply chain attack involving a software-based phone application called 3CXDesktopApp hit at the end of March.

The 3CXDesktopApp attack, first reported by CrowdStrike on March 29, 2023, was quickly investigated by Unit 42 the next day. Unit 42 discovered the 3CXDesktopApp installer hosted on the developer’s website installed the application with two malicious libraries. The malicious libraries ultimately run shellcode to load a backdoor on the system that allows actors to install additional malware on the victim machine. Please refer to this Unit 42 Threat Brief for more details on the threat and the latest Palo Alto Network protections summaries.

 

This Playbook of the Week blog will focus on automated response actions you can leverage using XSOAR. XSOAR can help you orchestrate response for incidents related to this attack across your EDR, XDR, SIEMs, and threat intelligence sources.  The 3CXDesktopApp Supply Chain Attack playbook can be triggered manually or as a scheduled job. 

 

What it Does

 

This playbook automates the process of data enrichment by collecting, extracting, tagging, and linking indicators from various sources such as Unit 42, Huntress and CrowdStrike, and linking them to incidents. It also downloads Sigma and Yara signature rules.

 

Playbook sample: extract, tag, and link indicatorsPlaybook sample: extract, tag, and link indicators

 

Next, the playbook performs automated threat hunting queries looking for detected execution of the 3CX applications, detected network connections to known C2 domains and/or compromised 3CX app activity, across multiple sources including:

  • Cortex XDR
  • Splunk
  • QRadar
  • Elasticsearch
  • PAN-OS
  • Cortex Data Lake
  • ElasticSearch
  • Azure Log Analytics

Playbook sample: Generic and XDR threat huntingPlaybook sample: Generic and XDR threat hunting

 

Playbook sample: SIEM Threat HuntingPlaybook sample: SIEM Threat Hunting

Lastly, you can set the playbook to perform remediation tasks such as blocking indicators automatically, or have the analyst continue to perform further analysis before closing the investigation.

 

Playbook sample: Remediation tasksPlaybook sample: Remediation tasks

 

Learn More

 

Note: We have provided some highlights of the tasks available via this playbook. It does call other sub-playbooks not mentioned in this blog so to get the full scope of the playbook automation workflow, please refer to our Cortex Marketplace content pack documentation. You might also be interested in our series of Rapid Breach response playbooks.

 

Don’t have Cortex XSOAR? Download our free Community Edition today to test out this playbook and hundreds more automations for common use cases you deal with daily in your security operations or SOC.

 

  • 2919 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels