TH20102
Detected indicators of tampering that resemble the 3CX DesktopApp software compromise.
priority | CI/CD status | severity | effort | RL level | RL assessment |
---|---|---|---|---|---|
fail | high | high | 1 | tampering: fail Reason: indicators of tampering found |
About the issueโ
Publicly disclosed software supply chain compromises can be modeled through their unique set of indicators of tampering. These indicators form a heuristic signature that evaluates during differential analysis, ensuring no similar supply chain attack has affected a software package. Through inspection of changes in behaviors over subsequent versions, a match was made with the indicators of tampering that resemble the 3CX DesktopApp software compromise. Malicious actors are known to re-use the attack patterns that were successful in the past. Some malicious actors are also known to emulate other attackers with the intent to misdirect incident responders. Therefore, having a positive tampering match is not sufficient for attack attribution. It is highly likely that the software package was tampered with by a malicious actor or a rogue insider.
How to resolve the issueโ
- Investigate reported detections.
- Consult Mitre ATT&CK documentation: T1195.002 - Compromise Software Supply Chain.
- Investigate your build and release environment for software supply chain compromise.
- Consider hiring an external incident response team to assist with finding the root cause of the compromise.
- You should delay the software release until the investigation is completed, and the detection is verified.
Recommended readingโ
- The 3CX attack was targeted โ but the plan was broader (ReversingLabs blog)
- Red flags flew over software supply chain-compromised 3CX update (ReversingLabs blog)
- T1195.002 - Compromise Software Supply Chain (External resource - Mitre ATT&CK documentation)