3CX Supply Chain Attack Network Indicators

Name:3CX Supply Chain Attack Network Indicators
id:791b727c-deec-4fbe-a732-756131b3c5a1
version:3
date:2024-10-17
author:Michael Haag, Splunk
status:experimental
type:TTP
Description:The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches.
Data_source:

• -Sysmon EventID 22

search:| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query
| `drop_dm_object_name(DNS)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| lookup 3cx_ioc_domains domain as query OUTPUT Description isIOC
| search isIOC=true
| `3cx_supply_chain_attack_network_indicators_filter`

how_to_implement:To successfully implement this search you need to be ingesting information into the `Network Resolution` datamodel in the `DNS` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA''s are installed.
known_false_positives:False positives will be present for accessing the 3cx[.]com website. Remove from the lookup as needed.
References:
  -https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
  -https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp
  -https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
  -https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898
  -https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/
drilldown_searches:
  :
tags:
  analytic_story:
    - '3CX Supply Chain Attack'
  asset_type:Network
  confidence:100
  cve:
    - 'CVE-2023-29059'
  impact:100
  message:Indicators related to 3CX supply chain attack have been identified on $src$.
  mitre_attack_id:
    - 'T1195.002'
  observable:
    name:'src'
    type:'Hostname'
    - role:
      - 'Victim'
    name:'query'
    type:'URL String'
    - role:
      - 'Attacker'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - 'DNS.src'
    - 'DNS.query'
    - '_time'
  risk_score:100
  security_domain:network

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_network-windows-sysmon.log
  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  sourcetype: XmlWinEventLog
manual_test:None