Use case: 3CX breach

3CX was part of a supply chain attack that compromised the company's VoIP software with malicious code that gave attackers the ability to download and run code on all machines where the app was installed.

Data breach and 3CX DesktopApp

The hacker group UNC4736, with ties to North Korea, breached the financial software firm Trading Technologies. The hackers embedded a backdoor into an application on Trading Technology’s website known as X_Trader. The malicious version of X_Trader was downloaded and installed on the computer of a 3CX employee. Hackers were able to spread through 3CX’s network and reach the company server used for software development. They corrupted the 3CX installer application available for download from their website. In addition, the corrupted 3CX installer was pushed out by a legitimate software update. Upon running the malicious 3CX installer, additional malware called ICONICSTEALER was downloaded and installed that took the form of several DLLs.

How ThreatLocker^® mitigated this exploit

ThreatLocker Allowlisting only permits explicitly approved applications and DLLs to run. By default, ThreatLocker blocked the malicious DLLs that were downloaded because they were not included in the allowlist for 3CX. In addition to Allowlisting, ThreatLocker was able to use Ringfencing to limit the current 3CX application, so it didn’t have access to more than what it was required to do. The ThreatLocker Ringfencing solution stopped access to read or write files and blocked access to the internet, except for domain(s) located in the 3CX web console. Using Ringfencing, the 3CX application is prevented from reaching out and downloading the ICONICSTEALER malware.

See ThreatLocker^® Protect