HOME
PRODUCTS

our Products Platform

Sniper EDR

A homegrown EDR that translates into customised MDR solutions.

PhishMyTeam

Cutting-Edge Simulations to Eliminate Phishing emails

Sec Audit

Our Tool allows you to automate the whole auditing process.

Defender Horizon

Defender Horizon's DNS-layer security provides the fastest, easiest way to improve your security.

SERVICES

Our Services Platform

GRC

Expert-Led Compliance Guidance and framework to support your risk.

SOC

Continuous Monitoring by our team of experts who keeps a watch on your system.

MDR

Our MDR offers a greater level of security by utilizing complex tools.

VCISO

Expertise cyber security consultation on Demand and end to end support for an ongoing cyber attack.

SEBI CSCRF

Cyber Resilience Framework (CSCRF)

WHY US?
ABOUT
BLOGS & CONTENTS
 GET STARTED
HOME PRODUCTS SERVICES WHY US? ABOUT BLOGS GET STARTED

3CX Supply Chain Attack Networ


THIS IS A EXPERIMENTAL DETECT :

This detection has been marked experimental by the Splunk Threat Research team. This means we have not been able to test, simulate, or build datasets for this detection. Use at your own risk. This analytic is NOT supported.

Description:

The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches.

** Type: TTP

** Product: Splunk Enterprise, Splunk

** Datamodel: Network_Resolution

** Lastupdated: 2024-05-21

** Author: Michael Haag, Splunk

** ID: 791b727c-deec-4fbe-a732-756131

Annotations

==> ATT&CK: T1195.002,Compromise Software

==> KILL CHAIN PHASE: Delivery

==> NIST: DE.CM

==> CIS20: CIS 13

==> CVE: None

SEARCH QUERY: None

REFERENCE:

https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/, https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp, https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/

TAGS: Compromise Software Supply

CATEGORIES: Endpoint

Updated: 2024-05-21


On this page

THIS IS A EXPERIMENTAL DETECT

Description Annotations Reference Tags