⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
The number 1 threat in our top 10 for March 2023 is Labyrinth Chollima, due to the activity we saw during the 3CX compromise disclosed at the very end of the month. We chose to use CrowdStrike’s name for this threat since the behavior they reported closely matched our own observations. You can read more about the 3CX compromise below.
Dock2Master stayed at number 4 after making its first appearance in the top 10 last month. Recent regulars to our top 10 threat list over the past few months maintained their presence, with many of them swapping spots. BloodHound landed at 8, tied with TA577. RedLine joined the list and tied with Raspberry Robin in the 10th spot. TA570 was just outside the running at number 12, along with Cobalt Strike. Danabot, last month’s number 6 threat, saw a huge drop in activity down to number 23.
More about 3CX and supply chain compromises
On March 29, CrowdStrike reported an active intrusion campaign targeting 3CX customers. CrowdStrike, Red Canary, and other organizations observed malicious activity from 3CXDesktopApp, a softphone application from 3CX. On March 30, 3CX shared that several versions of the Electron-based app had shipped with malicious code as part of the updates, confirming that the campaign was a supply chain compromise.
A supply chain compromise happens when adversaries infiltrate and manipulate products or product delivery mechanisms, potentially giving adversaries access to the users of that product. The technique can happen at many different points in the supply chain. Using 3CX as an example, the adversary initially manipulated an installer for X_Trader financial trading software from Trading Technologies. A user with access to the 3CX environment downloaded X_Trader, giving the adversary access to the 3CX environment. They were able to move laterally, steal credentials, infiltrate Windows and macOS installers for the legitimate 3CXDesktopApp, and add their malicious DLL to the installation package. Once installed, the malware could potentially give the adversaries access to all the systems that had installed 3CX software.
While the response to the 3CX compromise has trailed off, this is a good time to think about how to prepare for the next one that will inevitably occur. Successful supply chain compromises can be challenging to detect and can give adversaries access to a variety of environments and enterprises, as seen in the SolarWinds supply chain compromise in 2020 and the Kaseya compromise of 2022.
How to prepare for a supply chain compromise
Fortunately for defenders, supply chain compromises are uncommon compared to other types of initial access techniques. From our experience supporting customers through these events, we’ve learned rapid response is key to reducing the risk of supply chain compromises. The best practices to help defend against them are useful in other response situations as well.
Here are some ways to prepare for a supply chain compromise:
- Having an up-to-date asset inventory lets you know if the affected product is present in your environment
- Researching and documenting how products you use are supported by their vendors. For example, are patches provided? Does the vendor share update information with you?
- Continuing to work on detection-in-depth across the intrusion chain. While supply chain compromises are difficult to detect at first, in most of them (including 3CX), later phases involve stealers or hands-on-keyboard activity that are more easily detectable. Our 2023 Threat Detection Report is full of detection opportunities for this type of activity
- Training your team and equipping them with the resources they need to rapidly respond in the event of any compromise, including supply chain compromises
- Closely monitoring announcements from product vendors in the event of a supply chain compromise can help you learn which versions of a product are affected. Seeking out trusted sources of information from the cybersecurity community is also helpful, as researchers regularly share findings to help defenders take action in the early days of major supply chain compromises. We recommend having a plan for monitoring these sources and actioning the information for improving detection
When supply chain compromises do happen, you can achieve the best outcome by staying calm, seeking out trusted sources of information to help quickly mitigate risk to your environment, and preparing ahead of time with some of the steps outlined here.