See What Foreign Software Is Running in Your Environment
Use Case:

3CX Breach

3CX was part of a supply chain attack that compromised the company's VoIP software with malicious code that gave attackers the ability to download and run code on all machines where the app was installed.

Data Breach and 3CX DesktopApp

The hacker group UNC4736, with ties to North Korea, breached the financial software firm Trading Technologies. The hackers embedded a backdoor into an application on Trading Technology’s website known as X_Trader. The malicious version of X_Trader was downloaded and installed on the computer of a 3CX employee. Hackers were able to spread through 3CX’s network and reach the company server used for software development. They corrupted the 3CX installer application available for download from their website. In addition, the corrupted 3CX installer was pushed out by a legitimate software update. Upon running the malicious 3CX installer, additional malware called ICONICSTEALER was downloaded and installed that took the form of several DLLs.

How ThreatLocker® Mitigated This Exploit

ThreatLocker Allowlisting only permits explicitly approved applications and DLLs to run. By default, ThreatLocker blocked the malicious DLLs that were downloaded because they were not included in the allowlist for 3CX. In addition to Allowlisting, ThreatLocker was able to use Ringfencing to limit the current 3CX application, so it didn’t have access to more than what it was required to do. The ThreatLocker Ringfencing solution stopped access to read or write files and blocked access to the internet, except for domain(s) located in the 3CX web console. Using Ringfencing, the 3CX application is prevented from reaching out and downloading the ICONICSTEALER malware.
See ThreatLocker® Protect
Illustration of ThreatLocker containing 3CX DesktopApp

ThreatLocker Key Uses

Proactive Approach to Cybersecurity

Unlike antivirus or traditional EDR, ThreatLocker Allowlisting solution puts you in control of what software, scripts, executables, and libraries can run on your endpoints and servers. This approach stops not only malicious software in its tracks but also stops other unpermitted applications from running. This process greatly minimizes cyber threats and other rogue applications from running on your network.

Preventing the Weaponization of Legitimate Tools

Normally, applications have access to all the same data as the end user. If an application is absolutely necessary, ThreatLocker Ringfencing can implement Zero Trust controls comparable to, but more granular than, traditional application containment tools. ThreatLocker Ringfencing controls what applications are able to do once they are running. By limiting how software can interact on your devices, ThreatLocker can reduce the likelihood of an exploit being successful or an attacker weaponizing legitimate tools such as PowerShell. These controls can prevent applications from interacting with another application, your files, data, or the internet.

Limiting Application Hopping for Administrators

Elevation Control puts IT administrators in the driver’s seat, enabling them to control specific applications that can run as a local admin without giving users local admin rights. With applications such as QuickBooks that need to run with local admin access, elevation control can limit that access without impacting operational workflow, which can prevent the further spread of an attack, like application hopping, in case there is a breach in the endpoint.

Control Over Storage Devices and Data Access

ThreatLocker Storage Control provides policy-driven control over storage devices, whether the storage device is a local folder, a network share, or external storage such as a USB drive. Storage Control allows you to set granular policies, such as blocking USB drives or blocking access to your backup share except when your backup application is accessed.

ThreatLocker® Benefits

Increased Security

Increasing endpoint security coverage and reduce the risk of potential security breaches

24/7 Cyber Hero® Support

Resolve any questions or issues with our ThreatLocker Cyber Heroes, who are available within 30 seconds via the admin portal chat or telephone 24/7/365

Save Time & Money

Reduce time dedicated to endpoint security by 25% and reevaluate annual spending on multiple licensing for antivirus and EDR solutions.

Seamless Onboarding & Deployment

ThreatLocker Learning Mode and Unified Audit simplifies setting up your Zero Trust environment during the initial onboarding and deployment.