At the end of March 2023, a supply chain attack on VoIP manufacturer 3CX became known. Their software is used by approximately 600,000 companies and 12 million users, including Mercedes-Benz, McDonald's, Coca-Cola, IKEA, and BMW.
3CX's Windows and macOS desktop app (also known as Electron) was allegedly shipped with a signed but tampered library by the North Korean-controlled hacker group Lazarus. The software subsequently contacts command and control servers and downloads further malware.
In addition to the published affected version numbers, signatures, and file names of the affected libraries, the target URLs of the command and control servers are also known. These include, for example, https://akamaitechcloudservices[.]com/v2/storage and https://msedgeupdate[.]net/Windows.
Thus, it is possible to check which clients in the network are affected based on the activities in the network. The Profitap IOTA offers a simple way to evaluate this.
Analysis via the DNS Overview Dashboard
Using the DNS Dashboard, the security analyst can quickly identify which clients have queried a DNS resolution on the affected DNS records and also identify and download the TCP flow to the command and control server based on this for further analysis.
Therefore, after logging in to the IOTA web GUI, we first switch to the DNS Overview Dashboard.
Figure 1: Switch to the DNS Overview Dashboard.
In Figure 2, we filter on the FQDN akamaitechcloudservices[.]com using the "Search DNS" function. We can see that a client has queried the DNS server 192.168.178.1 for this FQDN.
Figure 2: Filtering via the "Search DNS" function of the DNS Overview Dashboard on the FQDN akamaitechcloudservices.com.
Subsequently, we scroll down this dashboard and unfold the associated flows. We can recognize the infected client in the "Client IP" column with the value 192.168.178.22. This client contacted the command and control server named in the search field. To perform further analysis, it is also possible to download the associated TCP flow in the left download column.
Figure 3: Illustration of the associated flows. In this case, a TCP flow to the example host 192.0.2.1.
Different search queries can be used to evaluate further target FQDNs, and, if necessary, the time range selection can be adjusted.
The added value of IOTA
The DNS Overview Dashboard offers a good overview and quick filtering of the DNS queries made. In addition, it provides a listing of the associated flows, including a timestamp, and the possibility of a download for closer analysis.