www.crowdstrike.com
Open in
urlscan Pro
2606:4700::6811:63a
Public Scan
URL:
https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
Submission: On March 30 via api from DE — Scanned from DE
Submission: On March 30 via api from DE — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
*
*
*
*
*
*
BLOG
* Featured
* CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign
Targeting 3CXDesktopApp Customers
Mar 29, 2023
* Threats Can Come from Within: Mitigating USB Data Exfiltration with Falcon
Device Control
Mar 24, 2023
* CrowdStrike’s Artificial Intelligence Tooling Uses Similarity Search to
Analyze Script-Based Malware Attack Techniques
Mar 23, 2023
* CrowdStrike and Dell: Making Cybersecurity Fast and Frictionless
Mar 23, 2023
* Recent
* CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign
Targeting 3CXDesktopApp Customers
Mar 29, 2023
* Threats Can Come from Within: Mitigating USB Data Exfiltration with Falcon
Device Control
Mar 24, 2023
* CrowdStrike’s Artificial Intelligence Tooling Uses Similarity Search to
Analyze Script-Based Malware Attack Techniques
Mar 23, 2023
* CrowdStrike and Dell: Making Cybersecurity Fast and Frictionless
Mar 23, 2023
* Videos
* Video Highlights the 4 Key Steps to Successful Incident Response
Dec 02, 2019
* Video: How CrowdStrike’s Vision Redefined Endpoint Security
Sep 20, 2019
* Mac Attacks Along the Kill Chain: Credential Theft [VIDEO]
Apr 19, 2019
* Mac Attacks Along the Kill Chain: Part 2 — Privilege Escalation [VIDEO]
Apr 12, 2019
* Categories
* Endpoint & Cloud Security
Endpoint & Cloud Security
Threats Can Come from Within: Mitigating USB Data Exfiltration with Falcon
Device Control
03/24/2023
March 2023 Patch Tuesday: 9 Critical CVEs, Including Two Actively Exploited
Zero Days
03/14/2023
4 Examples of Third-Party Testing and Customer Reviews that Highlight
CrowdStrike’s Cybersecurity Leadership
03/08/2023
CrowdStrike Falcon Named the Winner of the 2022 AV-TEST Award for Best
MacOS Security Product
03/02/2023
* Engineering & Tech
Engineering & Tech
CrowdStrike’s Artificial Intelligence Tooling Uses Similarity Search to
Analyze Script-Based Malware Attack Techniques
03/23/2023
CrowdStrike’s Free TensorFlow-to-Rust Conversion Tool Enables Data
Scientists to Run Machine Learning Models as Pure Safe Code
03/02/2023
Spotlight on the Log-Structured Merge (LSM) Tree: One of the Keys Enabling
CrowdStrike to Process Trillions of Events per Day
11/30/2022
Playing Hide-and-Seek with Ransomware, Part 2
10/21/2022
* Executive Viewpoint
Executive Viewpoint
CrowdStrike and Dell: Making Cybersecurity Fast and Frictionless
03/23/2023
Three Times a Leader: CrowdStrike Named a Leader in Gartner® Magic
Quadrant™ for Endpoint Protection Platforms
03/02/2023
CrowdStrike 2023 Global Threat Report: Resilient Businesses Fight
Relentless Adversaries
02/28/2023
CrowdStrike Ranked #1 in the IDC Worldwide Endpoint Security Market Shares
Report for Third Time in a Row
02/16/2023
* From The Front Lines
From The Front Lines
CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting
Kubernetes
03/15/2023
CrowdStrike Falcon OverWatch Insights: 8 LOLBins Every Threat Hunter Should
Know
03/07/2023
How Adversaries Can Persist with AWS User Federation
01/30/2023
Walking Through Walls: Four Common Endpoint Tools Used to Facilitate Covert
C2
01/17/2023
* Identity Protection
Identity Protection
CrowdStrike Extends Identity Security Innovations to Protect Customers and
Stop Breaches
03/20/2023
Attackers Set Sights on Active Directory: Understanding Your Identity
Exposure
12/14/2022
9 Ways a CISO Uses CrowdStrike for Identity Threat Protection
12/07/2022
CrowdStrike at Oktane22: Celebrating Our Best-in-Class Partnership and
Empowering Customers to Secure Identities
11/08/2022
* Observability & Log Management
Observability & Log Management
Make Compliance a Breeze with Modern Log Management
02/07/2023
10 Questions to Help You Choose the Right Log Management Solution
12/21/2022
What Makes CrowdStrike Falcon LogScale So Fast
11/22/2022
The Force Multiplier of Correlating Your Security Telemetry
11/09/2022
* People & Culture
People & Culture
VP of Legal Jeanne Miller-Romero on Women’s History Month and Being a Woman
in Leadership
03/22/2023
What International Women’s Day Means to Women of CrowdStrike
03/07/2023
What Martin Luther King Jr. Day Means to Leaders of CrowdStrike’s Black
Employee Resource Group
01/13/2023
Cybersecurity Awareness Month 2022: It’s About the People
10/28/2022
* Remote Workplace
Remote Workplace
CrowdStrike Changes Designation of Principal Executive Office to Austin,
Texas
12/28/2021
CrowdStrike and EY Join Forces to Boost Organizational Resiliency
05/24/2021
Go Beyond the Perimeter: Frictionless Zero Trust With CrowdStrike and
Zscaler
03/29/2021
Flexible Policy Management for Remote Systems
07/08/2020
* Research & Threat Intel
Research & Threat Intel
CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign
Targeting 3CXDesktopApp Customers
03/29/2023
QakBot eCrime Campaign Leverages Microsoft OneNote Attachments
03/17/2023
How to Mature Your Threat Intelligence Program
03/09/2023
Exploiting CVE-2021-3490 for Container Escapes
01/18/2023
* Tech Center
Tech Center
How to Manage USB Devices
03/22/2023
How to Speed Investigations with Falcon Forensics
03/10/2023
How to Ingest Data into Falcon LogScale Using Python
02/23/2023
Mitigate Cyber Risk From Email With the Falcon LogScale and Mimecast
Integration
02/23/2023
* Start Free Trial
* Endpoint & Cloud Security
Endpoint & Cloud Security
Threats Can Come from Within: Mitigating USB Data Exfiltration with Falcon
Device Control
03/24/2023
March 2023 Patch Tuesday: 9 Critical CVEs, Including Two Actively Exploited
Zero Days
03/14/2023
4 Examples of Third-Party Testing and Customer Reviews that Highlight
CrowdStrike’s Cybersecurity Leadership
03/08/2023
CrowdStrike Falcon Named the Winner of the 2022 AV-TEST Award for Best
MacOS Security Product
03/02/2023
* Engineering & Tech
Engineering & Tech
CrowdStrike’s Artificial Intelligence Tooling Uses Similarity Search to
Analyze Script-Based Malware Attack Techniques
03/23/2023
CrowdStrike’s Free TensorFlow-to-Rust Conversion Tool Enables Data
Scientists to Run Machine Learning Models as Pure Safe Code
03/02/2023
Spotlight on the Log-Structured Merge (LSM) Tree: One of the Keys Enabling
CrowdStrike to Process Trillions of Events per Day
11/30/2022
Playing Hide-and-Seek with Ransomware, Part 2
10/21/2022
* Executive Viewpoint
Executive Viewpoint
CrowdStrike and Dell: Making Cybersecurity Fast and Frictionless
03/23/2023
Three Times a Leader: CrowdStrike Named a Leader in Gartner® Magic
Quadrant™ for Endpoint Protection Platforms
03/02/2023
CrowdStrike 2023 Global Threat Report: Resilient Businesses Fight
Relentless Adversaries
02/28/2023
CrowdStrike Ranked #1 in the IDC Worldwide Endpoint Security Market Shares
Report for Third Time in a Row
02/16/2023
* From The Front Lines
From The Front Lines
CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting
Kubernetes
03/15/2023
CrowdStrike Falcon OverWatch Insights: 8 LOLBins Every Threat Hunter Should
Know
03/07/2023
How Adversaries Can Persist with AWS User Federation
01/30/2023
Walking Through Walls: Four Common Endpoint Tools Used to Facilitate Covert
C2
01/17/2023
* Identity Protection
Identity Protection
CrowdStrike Extends Identity Security Innovations to Protect Customers and
Stop Breaches
03/20/2023
Attackers Set Sights on Active Directory: Understanding Your Identity
Exposure
12/14/2022
9 Ways a CISO Uses CrowdStrike for Identity Threat Protection
12/07/2022
CrowdStrike at Oktane22: Celebrating Our Best-in-Class Partnership and
Empowering Customers to Secure Identities
11/08/2022
* Observability & Log Management
Observability & Log Management
Make Compliance a Breeze with Modern Log Management
02/07/2023
10 Questions to Help You Choose the Right Log Management Solution
12/21/2022
What Makes CrowdStrike Falcon LogScale So Fast
11/22/2022
The Force Multiplier of Correlating Your Security Telemetry
11/09/2022
* People & Culture
People & Culture
VP of Legal Jeanne Miller-Romero on Women’s History Month and Being a Woman
in Leadership
03/22/2023
What International Women’s Day Means to Women of CrowdStrike
03/07/2023
What Martin Luther King Jr. Day Means to Leaders of CrowdStrike’s Black
Employee Resource Group
01/13/2023
Cybersecurity Awareness Month 2022: It’s About the People
10/28/2022
* Remote Workplace
Remote Workplace
CrowdStrike Changes Designation of Principal Executive Office to Austin,
Texas
12/28/2021
CrowdStrike and EY Join Forces to Boost Organizational Resiliency
05/24/2021
Go Beyond the Perimeter: Frictionless Zero Trust With CrowdStrike and
Zscaler
03/29/2021
Flexible Policy Management for Remote Systems
07/08/2020
* Research & Threat Intel
Research & Threat Intel
CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign
Targeting 3CXDesktopApp Customers
03/29/2023
QakBot eCrime Campaign Leverages Microsoft OneNote Attachments
03/17/2023
How to Mature Your Threat Intelligence Program
03/09/2023
Exploiting CVE-2021-3490 for Container Escapes
01/18/2023
* Tech Center
Tech Center
How to Manage USB Devices
03/22/2023
How to Speed Investigations with Falcon Forensics
03/10/2023
How to Ingest Data into Falcon LogScale Using Python
02/23/2023
Mitigate Cyber Risk From Email With the Falcon LogScale and Mimecast
Integration
02/23/2023
* Featured
* Recent
* Videos
* Categories
* Start Free Trial
CROWDSTRIKE FALCON PLATFORM DETECTS AND PREVENTS ACTIVE INTRUSION CAMPAIGN
TARGETING 3CXDESKTOPAPP CUSTOMERS
March 29, 2023
CrowdStrike Research & Threat Intel
Note: Content from this post first appeared in r/CrowdStrike
We will continue to update on this dynamic situation as more details become
available. CrowdStrike’s Intelligence team is in contact with 3CX.
On March 29, 2023, CrowdStrike observed unexpected malicious activity emanating
from a legitimate, signed binary, 3CXDesktopApp — a softphone application from
3CX. The malicious activity includes beaconing to actor-controlled
infrastructure, deployment of second-stage payloads, and, in a small number of
cases, hands-on-keyboard activity.
The CrowdStrike Falcon® platform has behavioral preventions and atomic indicator
detections targeting the abuse of 3CXDesktopApp. In addition, CrowdStrike®
Falcon OverWatch™ helps customers stay vigilant against hands-on-keyboard
activity.
CrowdStrike customers can log into the customer support portal and follow the
latest updates in Trending Threats & Vulnerabilities: Intrusion Campaign
Targeting 3CX Customers
The 3CXDesktopApp is available for Windows, macOS, Linux and mobile. At this
time, activity has been observed on both Windows and macOS.
CrowdStrike Intelligence has assessed there is suspected nation-state
involvement by the threat actor LABYRINTH CHOLLIMA. CrowdStrike Intelligence
customers received an alert this morning on this active intrusion.
Get fast and easy protection with built-in threat intelligence — request a free
trial of CrowdStrike Falcon® Pro today.
CROWDSTRIKE FALCON DETECTION AND PROTECTION
The CrowdStrike Falcon platform protects customers from this attack and has
coverage utilizing behavior-based indicators of attack (IOAs) and indicators of
compromise (IOCs) based detections targeting malicious behaviors associated with
3CX on both macOS and Windows.
Customers should ensure that prevention policies are properly configured with
Suspicious Processes enabled.
Figure 1. CrowdStrike’s indicator of attack (IOA) identifies and blocks the
malicious behavior in macOS (click to enlarge)
Figure 2. CrowdStrike’s indicator of attack (IOA) identifies and blocks the
malicious behavior in Windows (click to enlarge)
HUNTING IN THE CROWDSTRIKE FALCON PLATFORM
Falcon Discover
CrowdStrike Falcon® Discover customers can use the following link: US-1 | US-2 |
EU | Gov to look for the presence of 3CXDesktopApp in their environment.
Falcon Insight customers can assess if the 3CXDesktopApp is running in their
environment with the following query:
Event Search — Application Search
event_simpleName IN (PeVersionInfo, ProcessRollup2) FileName IN ("3CXDesktopApp.exe", "3CX Desktop App")
| stats dc(aid) as endpointCount by event_platform, FileName, SHA256HashData
Falcon Long Term Repository (LTR) powered by Falcon LogScale — Application
Search
#event_simpleName=/^(PeVersionInfo|ProcessRollup2)$/ AND (event_platform=Win ImageFileName=/\\3CXDesktopApp\.exe$/i) OR (event_platform=Mac ImageFileName=/\/3CX\sDesktop\sApp/i)
| ImageFileName = /.+(\\|\/)(?.+)$/i
| groupBy([event_platform, FileName, SHA256HashData], function=count(aid, distinct=true, as=endpointCount))
Atomic Indicators
The following domains have been observed beaconing, which should be considered
an indication of malicious intent.
akamaicontainer[.]com
akamaitechcloudservices[.]com
azuredeploystore[.]com
azureonlinecloud[.]com
azureonlinestorage[.]com
dunamistrd[.]com
glcloudservice[.]com
journalide[.]org
msedgepackageinfo[.]com
msstorageazure[.]com
msstorageboxes[.]com
officeaddons[.]com
officestoragebox[.]com
pbxcloudeservices[.]com
pbxphonenetwork[.]com
pbxsources[.]com
qwepoi123098[.]com
sbmsa[.]wiki
sourceslabs[.]com
visualstudiofactory[.]com
zacharryblogs[.]com
CrowdStrike Falcon® Insight customers, regardless of retention period, can
search for the presence of these domains in their environment spanning back one
year using Indicator Graph: US-1 | US-2 | EU | Gov.
Event Search — Domain Search
event_simpleName=DnsRequest DomainName IN (akamaicontainer.com, akamaitechcloudservices.com, azuredeploystore.com, azureonlinecloud.com, azureonlinestorage.com, dunamistrd.com, glcloudservice.com, journalide.org, msedgepackageinfo.com, msstorageazure.com, msstorageboxes.com, officeaddons.com, officestoragebox.com, pbxcloudeservices.com, pbxphonenetwork.com, pbxsources.com, qwepoi123098.com, sbmsa.wiki, sourceslabs.com, visualstudiofactory.com, zacharryblogs.com)
| stats dc(aid) as endpointCount, earliest(ContextTimeStamp_decimal) as firstSeen, latest(ContextTimeStamp_decimal) as lastSeen by DomainName
| convert ctime(firstSeen) ctime(lastSeen)
Falcon LTR — Domain Search
#event_simpleName=DnsRequest
| in(DomainName, values=[akamaicontainer.com, akamaitechcloudservices.com, azuredeploystore.com, azureonlinecloud.com, azureonlinestorage.com, dunamistrd.com, glcloudservice.com, journalide.org, msedgepackageinfo.com, msstorageazure.com, msstorageboxes.com, officeaddons.com, officestoragebox.com, pbxcloudeservices.com, pbxphonenetwork.com, pbxsources.com, qwepoi123098.com, sbmsa.wiki, sourceslabs.com, visualstudiofactory.com, zacharryblogs.com])
| groupBy([DomainName], function=([count(aid, distinct=true, as=endpointCount), min(ContextTimeStamp, as=firstSeen), max(ContextTimeStamp, as=lastSeen)]))
| firstSeen := firstSeen * 1000 | formatTime(format="%F %T.%L", field=firstSeen, as="firstSeen")
| lastSeen := lastSeen * 1000 | formatTime(format="%F %T.%L", field=lastSeen, as="lastSeen")
| sort(endpointCount, order=desc)
File Details
SHA256 Operating System Installer SHA256 FileName
dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc Windows
aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868
3cxdesktopapp-18.12.407.msi
fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405 Windows
59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983
3cxdesktopapp-18.12.416.msi
92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61 macOS
5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290
3CXDesktopApp-18.11.1213.dmg
b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb macOS
e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec
3cxdesktopapp-latest.dmg
RECOMMENDATIONS
The current recommendation for all CrowdStrike customers is:
1. Locate the presence of 3CXDesktopApp software in your environment by using
the queries outlined above.
2. Ensure Falcon is deployed to applicable systems.
3. Ensure “Suspicious Processes” is enabled in applicable Prevention Policies.
4. Hunt for historical presence of atomic indicators in third-party tooling (if
available).
ADDITIONAL RESOURCES
* Request a free CrowdStrike Intelligence threat briefing and learn how to stop
adversaries targeting your organization.
* The industry-leading CrowdStrike Falcon platform sets the new standard in
cybersecurity. Watch this demo to see the Falcon platform in action.
* Experience how the industry-leading CrowdStrike Falcon platform protects
against modern threats. Start your 15-day free trial today.
* Find more information on this situation on our Trending Threats &
Vulnerabilities: Intrusion Campaign Targeting 3CX Customers tracking page.
* Tweet
* Share
RELATED CONTENT
QAKBOT ECRIME CAMPAIGN LEVERAGES MICROSOFT ONENOTE ATTACHMENTS
CROWDSTRIKE DISCOVERS FIRST-EVER DERO CRYPTOJACKING CAMPAIGN TARGETING
KUBERNETES
CROWDSTRIKE FALCON OVERWATCH INSIGHTS: 8 LOLBINS EVERY THREAT HUNTER SHOULD KNOW
Categories
* Endpoint & Cloud Security
(362)
* Engineering & Tech
(71)
* Executive Viewpoint
(142)
* From The Front Lines
(184)
* Identity Protection
(27)
* Observability & Log Management
(70)
* People & Culture
(86)
* Remote Workplace
(20)
* Research & Threat Intel
(159)
* Tech Center
(147)
CONNECT WITH US
FEATURED ARTICLES
CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign
Targeting 3CXDesktopApp Customers
March 29, 2023
Threats Can Come from Within: Mitigating USB Data Exfiltration with Falcon
Device Control
March 24, 2023
CrowdStrike’s Artificial Intelligence Tooling Uses Similarity Search to Analyze
Script-Based Malware Attack Techniques
March 23, 2023
CrowdStrike and Dell: Making Cybersecurity Fast and Frictionless
March 23, 2023
SUBSCRIBE
Sign up now to receive the latest notifications and updates from CrowdStrike.
Sign Up
SEE CROWDSTRIKE FALCON® IN ACTION
Detect, prevent, and respond to attacks— even malware-free intrusions—at any
stage, with next-generation endpoint protection.
See Demo
Threats Can Come from Within: Mitigating USB Data Exfiltration with Falcon
Device Control
TRY CROWDSTRIKE FREE FOR 15 DAYS
GET STARTED WITH A FREE TRIAL
X
*
*
*
*
* Copyright © 2023 CrowdStrike
* Privacy
* Request Info
* Blog
* Contact Us
* 1.888.512.8906
X
$H2
$hl
X
ABOUT COOKIES ON THIS SITE
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts. Cookie Notice
Cookie Settings Reject All Accept All Cookies
COOKIE PREFERENCE CENTER
* YOUR PRIVACY
* STRICTLY NECESSARY COOKIES
* FUNCTIONAL COOKIES
* PERFORMANCE COOKIES
* TARGETING COOKIES
YOUR PRIVACY
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. This includes diagnostic functions such as identifying 404
errors and monitoring page load speed. They are usually only set in response to
actions made by you which amount to a request for services, such as setting your
privacy preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collet is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
Back Button
BACK
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
* View Third Party Cookies
* Name
cookie name
Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All