A few weeks ago, I witnessed a significant cybersecurity incident: the 3CX Supply Chain attack. 3CX is a global communications software provider that offers voice and video calling solutions for businesses and has a substantial customer base, with more than 600,000 customers and 12 million users in 190 countries. While I won't divulge specific details about my company or job title, I was responsible for monitoring the infection across multiple organizations and delving into the issue when SentinelOne EDR alerts first emerged. This experience taught me valuable lessons about the importance of behavioral-based detection versus signature-based detection, and how to critically evaluate alerts when trying to determine if they are false or true positives.
The first SentinelOne alert I observed was at 11:30 PM ET on March 23, 2023. It not only detected the issue but also took decisive action, killing and quarantining all instances of the 3CXDesktopApp.exe process. Almost a week later, CrowdStrike made their initial attribution in a reddit post on /r/crowdstrike at 11:13 AM ET on March 29, 2023. In contrast, Microsoft Defender, which relies on virus definitions, only began taking action against the malicious version of the 3CX Desktop App around 7 PM ET on March 29, 2023.
The 3CX Supply Chain attack affected both Windows and macOS systems, underscoring the growing sophistication of cyber threats and the vital need for strong security measures. As an IT professional, this incident made me more vigilant in differentiating between false positives and true positives when examining alerts. Supply chain attacks, such as this one, can infiltrate trusted update procedures and exploit the established trust of the original, approved applications, as demonstrated by the infected builds of the 3CX Desktop App.
In this case, the compromised 3CX Desktop App was even signed by 3CX, which is usually an indication that an alert might be a false positive, especially if you're familiar with the process and trust the publisher. This experience further emphasized the value of behavioral-based detection solutions like SentinelOne, which can identify and respond to previously unknown threats by examining process behavior, system activities, and other patterns that might indicate a cyberattack. Recognizing the exact nature of supply chain attacks and how they can exploit the trust in established applications has reinforced my resolve to ensure robust security measures are in place and to be more discerning when evaluating alerts for potential threats.
The attack was initially linked to North Korean state-sponsored threat actors, specifically Lazarus or one of its subgroups, by Kaspersky and CrowdStrike. It appeared that the primary target was cryptocurrency companies, which is not surprising given North Korea's history of stealing large amounts of cryptocurrency to fund its objectives. The attackers compromised 3CX systems to push malware to its 600,000 customers. While the initial malware may have reached many of these customers, the more sophisticated secondary payload was only delivered to a select few victims of interest.
The events that unfolded during this incident emphasized the increasing prevalence of supply chain attacks in today's cybersecurity landscape. By exploiting trusted supply chains to distribute malicious payloads, attackers are underscoring the necessity for organizations to be consistently vigilant and frequently assess the security postures of their partners.
This entire ordeal served as a valuable learning experience, highlighting the advantages of behavioral-based detection, the ongoing need for vigilance in IT security, and the importance of a meticulous evaluation process when responding to alerts for potential threats. As cybersecurity threats continue to evolve and supply chain attacks gain prominence, it becomes increasingly crucial for IT professionals to stay informed, adapt to emerging challenges, and implement state-of-the-art security solutions to protect their clients' systems and data. For additional information, I have included a video and a link to an article below.