Detection: 3CX Supply Chain Attack Network Indicators

EXPERIMENTAL DETECTION

This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.

Updated Date: 2024-10-17 ID: 791b727c-deec-4fbe-a732-756131b3c5a1 Author: Michael Haag, Splunk Type: TTP Product: Splunk Enterprise Security

Description

The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches.

1
2| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query 
3| `drop_dm_object_name(DNS)` 
4| `security_content_ctime(firstTime)` 
5| `security_content_ctime(lastTime)` 
6| lookup 3cx_ioc_domains domain as query OUTPUT Description isIOC 
7| search isIOC=true 
8| `3cx_supply_chain_attack_network_indicators_filter`

Data Source

Name Platform Sourcetype Source
Sysmon EventID 22 Windows icon Windows 'xmlwineventlog' 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
3cx_supply_chain_attack_network_indicators_filter search *
3cx_supply_chain_attack_network_indicators_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1195.002 Compromise Software Supply Chain Initial Access
KillChainPhase.DELIVERY
NistCategory.DE_CM
Cis18Value.CIS_13
APT41
Cobalt Group
Daggerfly
Dragonfly
FIN7
GOLD SOUTHFIELD
Moonstone Sleet
Sandworm Team
Threat Group-3390

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Notable Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Risk Event True
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

To successfully implement this search you need to be ingesting information into the Network Resolution datamodel in the DNS node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA''s are installed.

Known False Positives

False positives will be present for accessing the 3cx[.]com website. Remove from the lookup as needed.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
Indicators related to 3CX supply chain attack have been identified on $src$. 100 100 100
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Not Applicable N/A N/A N/A
Unit Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog
Integration ✅ Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 3