Views:

Using Trend Micro Products for Investigation

The following highlights several post-exploitation detections and remediation technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.

Trend Vision One™

Trend Vision One customers benefit from XDR detection capabilities of the underlying products such as Trend Micro Apex One.  The following outline some of the components of Trend Vision One that can used for investigation.

Curated Intelligence Reports

An updated Curated Intelligence Report in Trend Vision One for this campaign has been added that will automatically conduct some endpoint activity sweeping for XDR customers that have this enabled.

Module state

 

Mitigations, Trend Micro Protection, and Detection Against Exploitation


First and foremost, it is always highly recommended that users apply the vendor's patches when they become available and is feasible. As of now, 3CX has one of two recommendations for updating the software:

1.  Users can migrate to the PWA (web-based) version of the application. 
2.  An updated version of the Windows Electron app has been released by 3CX:  18.12.422 (macOS version is still TBD).

In addition, it is advised that customers delete any and all versions of affected installers that they may have in file repositories or other storage. 

In addition to the formal app update, Trend Micro does have some supplementary detection/protection patterns that may help provide additional protection against further potential exploits. 
 
Preventative Rules, Filters & Detection
Trend Micro Web Reputation Services (WRS) Protection

As outlined in our blog there are several domains that were identified as malicious Command & Control (C&C) points that impacted systems were observed to try and communicate to.  Trend Micro has blocked all of the known domains, and all of Trend Micro products that contain Web Reputation protection block communications to these domains.


Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring) for Endpoint, Servers (e.g. Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security w/Anti-malware, etc.), Mail & Gateway (e.g. Cloud App Security, ScanMail for Exchange, IMSVA) Please note that detailed IOC information, including updated hashes can be found in our blog.

 

Additional Information

While 3CX has communicated they believe that this was part of a sophisticated targeted attack with specified targets and the vast majority of systems with evidence of malicious code were actually not infected - we believe to err on the side of caution as the situation appears to be fluid.

Cybersecurity experts, including Trend Micro Research, are continuing to monitor, investigate and apply learnings to additional recommendations for customers that believe that they may have been impacted. 
  • In addition to replacing the affected installer and removing known malicious components from networks, customers are also strongly advised to review any suspicious or irregular activity and/or communication both internally and outbound from your network.
  • If you have any reason to believe that you may have been adversely impacted, consider updating critical credentials, including but not limited to applying 2FA where applicable and changing key passwords.  

Trend Micro will continue to provide updates and additional recommendations and guidance as more information becomes available.
 

References

Keywords: 3CX DesktopApp