Playbook of the Week: Automated Rapid Response to 3CXDesktopApp Supply Chain Attack

Apr 06, 2023
3 minutes
... views

3CXDesktopApp Supply Chain Attack Rapid Response

A supply chain attack involving a software-based phone application called 3CXDesktopApp hit at the end of March.

The 3CXDesktopApp attack, first reported by CrowdStrike on March 29, 2023, was quickly investigated by Unit 42 the next day. Unit 42 discovered the 3CXDesktopApp installer hosted on the developer’s website installed the application with two malicious libraries. The malicious libraries ultimately run shellcode to load a backdoor on the system that allows actors to install additional malware on the victim machine. Please refer to this Unit 42 Threat Brief for more details on the threat and the latest Palo Alto Network protections summaries.

This Playbook of the Week blog will focus on automated response actions you can leverage using XSOAR. XSOAR can help you orchestrate response for incidents related to this attack across your EDR, XDR, SIEMs, and threat intelligence sources.  The 3CXDesktopApp Supply Chain Attack playbook can be triggered manually or as a scheduled job. 

What it Does

This playbook automates the process of data enrichment by collecting, extracting, tagging, and linking indicators from various sources such as Unit 42, Huntress and CrowdStrike, and linking them to incidents. It also downloads Sigma and Yara signature rules.

Playbook sample: extract, tag and link indicators
Playbook sample: extract, tag, and link indicators

 

Next, the playbook performs automated threat hunting queries looking for detected execution of the 3CX applications, detected network connections to known C2 domains and/or compromised 3CX app activity, across multiple sources including:

  • Cortex XDR
  • Splunk
  • QRadar
  • Elasticsearch
  • PAN-OS
  • Cortex Data Lake
  • ElasticSearch
  • Azure Log Analytics
Playbook sample: Generic and XDR threat hunting
Playbook sample: Generic and XDR threat hunting

 

Playbook sample: SIEM Threat Hunting
Playbook sample: SIEM Threat Hunting

 

Lastly, you can set the playbook to perform remediation tasks such as blocking indicators automatically, or have the analyst continue to perform further analysis before closing the investigation.

Playbook sample: Remediation tasks
Playbook sample: Remediation tasks

 

Learn More

Note: We have provided some highlights of the tasks available via this playbook. It does call other sub-playbooks not mentioned in this blog so to get the full scope of the playbook automation workflow, please refer to our Cortex Marketplace content pack documentation. You might also be interested in our series of Rapid Breach response playbooks.

To learn more about how you can automate security operations with Cortex XSOAR, check out our virtual self-guided XSOAR Product Tour

We also host virtual and in-person events, so check here for upcoming ones.


Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.