 Tom here from Lauren systems and we now know how 3cx got hacked. It was a supply chain attack You're probably thinking wasn't 3cx a supply chain attack. Yes There was another supply chain attack that led to the 3cx supply chain attack. So software called trader technologies x trader We're gonna be citing from Kim's editor zero day Google threat analysis group the tag group as they call it and a 3cx blog where Mandiant has posted updates to dive into these details so we can understand what happened And I think some of the details are kind of interesting I will have links right down below to those blog posts and that couple others Brian Krebs also did a write-up on some of the broader expanded things that are Learned from all this because this attack was really targeted in a very narrow scope And it's showing just how difficult these attacks are to pull off But they're still really interesting because they didn't turn into quite the big security incident that it could have been But I think it's still a really interesting topic that we're able to stop it But understanding and unraveling this is a well, that's what we're gonna dive through today And we're gonna end it with some lessons learned now We don't have any details on how exactly this x trader software was compromised Just that we know it was compromised and Mandian cited it as the source for the 3cx compromise So we'll start here now We know about the compromise from the Google threat analysis group or tag countering threats from North Korea that linked right down Below the Google tag report essentially says there was a campaign targeting news media and IT companies And they were offering them jobs and that interaction and engagement would sometimes lead to phishing I imagine that would say hey download this software They also targeted cryptocurrency and fintech organizations And that's more specifically related to the trading technology software Which was listed among others on this report from Google that it was a compromise piece of software used by the North Koreans And a very targeted campaign now This is over from Kim zedder's zero-day report the tainted software installed a backdoor on the employee's computer giving the attackers full Administrator and system level rights over the system the hackers then stole the employee's work credentials Which gave them administrator level access to 3cx system as well trading technologies was not a supplier to 3cx The two software companies have no relationship to one another the spokes first and said and the x trader software had been Decommissioned in April 2020 a year before the hackers allegedly embedded malware in it in two years before the 3cx employee downloaded the tainted software When asked if they had determined how many people downloaded tainted software a company spokesperson for trader technologies confirmed Number of individuals who downloaded the tainted software was 97 It doesn't take many people when you think about the scale and scope of 3cx It's an extremely popular amongst the enterprise users voice over ib program with a desktop agent They to compromise both the windows and mac versions of this desktop agent It was distributed to an amazing number of companies It doesn't take More people it takes 97 or less It really only took one employee at 3cx to send some ripples through an entire supply chain when you talk about targeting Really focused targeting at high level companies like that and the people who work there So it seems like a low number what when you think about the ripple effect will have a supply chain attack It's actually pretty big number because they're still identifying who else may have been targeted or who else may have been compromised Because if this has been quieter to have an action down it there could be these lurking in other systems Now this is from the 3cx blog and this is Mandian's report And I found this particular part interesting Bandion identified the use of fast reverse proxy tool Which the threat actor used to move laterally within the 3cx environment the tool was named msmp-eng.exe and located in C windows System32 directory now why this is fascinating to me is because I did a report a video that is linked down below on Sentinel one versus Huntress regarding a security incident with one of my clients This was the tool identified by Huntress but not by Sentinel one and Sentinel one has later changed your mind and starts Identifying this as a bad tool, but this tool has been known to be used as several threat actors And I noted that my video I dive deeper into how it's used. It's not really Used that I could find at least by any legitimate companies and it is really being used for illegitimate use across a lot of These threat actor incidents and numerous ones now including 3cx that this is definitely something bad and you flag it based on its behavior It's not that itself. It is a bad program. It's just a reverse proxy But when they take the time to hide it This is where you get behavioral analysis that should look at the behaviors of software and what they're doing such as creating Hidden folders, which was my case or in this case Installing under Windows system 32 something called MSM PE and G you find a common signature You find it naming something else in your reverse engineer and go That's actually this tool being hidden this way. Those are behavioral flags. It really should be noted Virus total in February 12th of 2023 when that incident happened And I did that video was only flagging 15 out of 70 and now it's being flagged by 17 out of 69 and on February 28th That's actually when I published the video and then on April 23rd of 2023 22 out of 70 so slowly more and more vendors are going Yeah, that tool should just be flagged There's not a reason to find it on a corporate network, but nonetheless, I find that part pretty interesting Now the reason this compromise didn't turn into a total Complete meltdown of the internet and all these companies being compromised in a horrible way Was a couple things one it was extremely targeted the payload only was delivered to Extremely narrow scope. So it's not like anyone who got the download would also get the payload So basically they were prepping for the attack, but the attack didn't occur The bigger things that happen to stop all of this is the cyber security community Collaborated and coordinated quickly the information was free flowing between all the different major Players in a cyber security community lots of threat hunters were out there looking at this understanding it Sharing the intel putting blog posts together across just a wide array of companies This was awesome because this makes it that much harder to do the bar has clearly been raised for what it takes to get past Modern security systems here in 2023. I'm not saying everybody has fully modern security systems Clearly three CX had some problems. We'll talk about here in a second But if you are running modern EDR software, you are following good modern policy It's really hard and that's why this double supply chain attack was what it took to be able to get distributed in all these systems But the bars really been raised it was just great to see the communities come together and do a lot of info sharing to quickly inform everyone what's going on what the Targets were and how to diffuse this before it became a bigger incident now Let's talk about how three CX failed not in software, but this is really a policy failure in my opinion It should be absolutely and implicitly clear that employees should not use work computers for personal use This is a talking point that I hope you bring up if you're in charge of IT or IT policy for your organization or external organizations This just needs to be a clear separation because of the dangers involved as pointed out here Employees should not have administrative privileges to install a software This is where the dev teams and security teams may have some Differences of opinion, but the reality is if you care about security You just can't let the devs install whatever they want Limiting their privileges makes a lot of sense Especially if they're part of any targeted campaign where someone suggested some software that would make their life easier developing and That software happens to be some shady software So even if it's work related or seemingly work related you have to be very careful and security teams should be auditing and Really locking down what gets installed on these computers and has a vetting process for it third Audits should be performed to make sure one and two are being followed and not just audits Perhaps may even signs posters and suggestions if you've worked in industrial manufacturing There's all kinds of notices to put your safety glasses on don't put your finger in the machine and quit using your work computer For personal use maybe we need similar signs But anything that helps encourage and reinforce this and then audit to make sure it's not occurring This would have saved them a lot of trouble. It seems pretty wild to me that in the last year We've had two major companies that we know of that personal use of corporate assets is what led to compromise Which is the last past incident loading a Plex server and getting Plex compromise Which led to developer credentials being compromised and of course 3cx with the trading software I know many companies have policies But that whole audit process to make sure that these policies are being followed that is extremely clear And if it's not clear at these smaller organizations that maybe you work at Hopefully you have ways to influence and make it clear to people or if you're a policymaker Whether your IT internal or IT external you have some influence over this. These are things you can just point to and say Hey, this is a real problem This is why we don't allow anyone to have full admin privileges And this is why we have a approval list of software and please quit using your work computer for Personal use nonetheless loved to hear from you leave your thoughts and comments down below Let you know what you liked you didn't like or if I'm wrong about something Nonetheless, I love engaging with all of you or head on my forums for a more in-depth discussion on this topic or any others I cover on my channel. Thanks