Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for March 2023:
| Last month's rank | Threat name | Threat description |
|---|---|---|
| Last month's rank: ⬆ 1 | Threat name: Labyrinth Chollima | Threat description: Suspected North Korean threat group named by CrowdStrike that conducts espionage and financial operations |
| Last month's rank: ➡ 2 | Threat name: | Threat description: Open source tool that dumps credentials using various techniques |
| Last month's rank: ⬆ 3 | Threat name: | Threat description: Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| Last month's rank: ➡ 4 | Threat name: Dock2Master | Threat description: macOS ad fraud activity that has led to downloads of other macOS malware such as Shlayer |
| Last month's rank: ⬇ 5* | Threat name: | Threat description: Banking trojan focused on stealing user data and banking credentials; delivered through phishing, existing Emotet infections, and malicious Windows Installer (MSI) packages |
| Last month's rank: ⬆ 5* | Threat name: | Threat description: Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Last month's rank: ⬇ 7 | Threat name: | Threat description: Collection of Python classes to construct/manipulate network protocols |
| Last month's rank: ⬇ 8* | Threat name: TA577 | Threat description: Malware delivery affiliate named by Proofpoint that commonly conducts Qbot and IcedID campaigns, using letter pairs like "TR" and "BB" in its malware configuration campaign identifiers |
| Last month's rank: ⬆ 8* | Threat name: | Threat description: Open source tool used to identify intrusion paths and relationships in Active Directory |
| Last month's rank: ⬇ 10* | Threat name: | Threat description: Activity cluster using a worm spread by external drives that leverages Windows Installer to download a malicious DLL |
| Last month's rank: ⬆ 10* | Threat name: | Threat description: Information stealer sold on underground forums and used by a variety of adversaries |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
The number 1 threat in our top 10 for March 2023 is Labyrinth Chollima, due to the activity we saw during the 3CX compromise disclosed at the very end of the month. We chose to use CrowdStrike’s name for this threat since the behavior they reported closely matched our own observations. You can read more about the 3CX compromise below.
Dock2Master stayed at number 4 after making its first appearance in the top 10 last month. Recent regulars to our top 10 threat list over the past few months maintained their presence, with many of them swapping spots. BloodHound landed at 8, tied with TA577. RedLine joined the list and tied with Raspberry Robin in the 10th spot. TA570 was just outside the running at number 12, along with Cobalt Strike. Danabot, last month’s number 6 threat, saw a huge drop in activity down to number 23.
More about 3CX and supply chain compromises
On March 29, CrowdStrike reported an active intrusion campaign targeting 3CX customers. CrowdStrike, Red Canary, and other organizations observed malicious activity from 3CXDesktopApp, a softphone application from 3CX. On March 30, 3CX shared that several versions of the Electron-based app had shipped with malicious code as part of the updates, confirming that the campaign was a supply chain compromise.
A supply chain compromise happens when adversaries infiltrate and manipulate products or product delivery mechanisms, potentially giving adversaries access to the users of that product. The technique can happen at many different points in the supply chain. Using 3CX as an example, the adversary initially manipulated an installer for X_Trader financial trading software from Trading Technologies. A user with access to the 3CX environment downloaded X_Trader, giving the adversary access to the 3CX environment. They were able to move laterally, steal credentials, infiltrate Windows and macOS installers for the legitimate 3CXDesktopApp, and add their malicious DLL to the installation package. Once installed, the malware could potentially give the adversaries access to all the systems that had installed 3CX software.
While the response to the 3CX compromise has trailed off, this is a good time to think about how to prepare for the next one that will inevitably occur. Successful supply chain compromises can be challenging to detect and can give adversaries access to a variety of environments and enterprises, as seen in the SolarWinds supply chain compromise in 2020 and the Kaseya compromise of 2022.
How to prepare for a supply chain compromise
Fortunately for defenders, supply chain compromises are uncommon compared to other types of initial access techniques. From our experience supporting customers through these events, we’ve learned rapid response is key to reducing the risk of supply chain compromises. The best practices to help defend against them are useful in other response situations as well.
Here are some ways to prepare for a supply chain compromise:
- Having an up-to-date asset inventory lets you know if the affected product is present in your environment
- Researching and documenting how products you use are supported by their vendors. For example, are patches provided? Does the vendor share update information with you?
- Continuing to work on detection-in-depth across the intrusion chain. While supply chain compromises are difficult to detect at first, in most of them (including 3CX), later phases involve stealers or hands-on-keyboard activity that are more easily detectable. Our 2023 Threat Detection Report is full of detection opportunities for this type of activity
- Training your team and equipping them with the resources they need to rapidly respond in the event of any compromise, including supply chain compromises
- Closely monitoring announcements from product vendors in the event of a supply chain compromise can help you learn which versions of a product are affected. Seeking out trusted sources of information from the cybersecurity community is also helpful, as researchers regularly share findings to help defenders take action in the early days of major supply chain compromises. We recommend having a plan for monitoring these sources and actioning the information for improving detection
When supply chain compromises do happen, you can achieve the best outcome by staying calm, seeking out trusted sources of information to help quickly mitigate risk to your environment, and preparing ahead of time with some of the steps outlined here.