Shielding a regional bank from a cyberattack

Client profile

• Award-winning, locally owned bank with six locations
• Over $800 million in assets
• More than 130 employees; a small IT staff
• Partners with SEI Sphere for cybersecurity and cloud services

Initial inquiry

On March 29, 2023, the client submitted a ticket inquiring about a potential supply chain compromise via a routine update in 3CX, a softphone application utilized by their bank.

Good to know: A supply chain attack leverages a trusted outside business, such as a vendor or partner, to infiltrate a company’s network.

A thorough approach

On March 30, 2023, SEI Sphere’s security team investigated the incident using shared intelligence from our endpoint security tool and other open-source intelligence.¹ The investigation confirmed malicious activity from the 3CXDesktopApp, including beaconing to actor-controlled infrastructure, deployment of payloads, and, in some cases, hands-on-keyboard activity.

• We immediately ran command and control (C2) indicators and hash values (numerical values that uniquely identify data) through our custom-built security information and event management (SIEM) tool to determine if any were observed in our clients’ environments, and one hash indicator matched. SEI Sphere security staff working earlier that morning in India had already added C2 domains. We also added the values to our firewall block list to prevent outbound communication for all clients.
• We ran recommended threat-hunting queries in event search to validate the full extent of this application in client environments.
• We discovered additional C2 indicators not originally reported by our endpoint security tool from our community of open-source intelligence channels and added these to our SIEM and proxy blocks.
• To further investigate the attack, we downloaded malicious executables and ran them in a lab environment in an attempt to follow the attack from execution to compromise. This was not successful, as the attack appeared to be targeted toward specific entities. 

A strong position

By adding these indicators to our SIEM, we can see and block any future hits to the associated C2 domains via endpoint detection and observation of all proxy logs. Additionally, we added malicious hash values to our endpoint security tool to assist in preventing execution and further compromise from the known executables associated with this attack. Finally, we added a block in our endpoint security tool for the base 3CX executable to help prevent any file with this name from executing, regardless of hash value or folder location. 

Common attack, targeted plan

As businesses grow, so does reliance on outside providers, and so too does vulnerability to third-party attacks like this one. In a time when crafted attacks toward handpicked organizations are becoming the norm, it's important to have a cybersecurity provider who performs comprehensive, timely work with every inquiry. SEI Sphere defends our clients from targeted supply chain attacks, and we can do the same for you. 

¹SEI Sphere uses CrowdStrike's endpoint protection solution for its cybersecurity program

CrowdStrike is not affiliated with SEI or its subsidiaries.