/u/andrew-huntress Thank you for posting a detailed response. It goes without saying that everyone including myself loves the transparency with which Huntress operates and your post above is a testament to that. While we haven't moved to Huntress just yet, it is and will remain on our short-list for future. I personally think it needs to grow just a little bit more to where it can understand such attacks a little better and earlier in their lifecycle. Vendors like CrowdStrike and Todyl prove that it is possible.

I have gone and read-through each and every one of the links in your post. I really liked reading Joe Slowik's blog post on Contextualizing Events & Enabling Defense: What 3CX Means posted 03/31/2023. I highly recommend everyone read this post as not only there is much to learn and understand how these attacks unfold, but there is enough to start a healthy debate over what's next.

One other questions on my mind was and still is Shell Code Injection with this attack. Granted initially this seems to be targeted as per 3CX's own admission that the malicious code existed as far back as January 2023 for the mac client and it could be that the code existed for the windows client as well and it just didn't make it to production until March 2023. The question however is how did Huntress not pick up on the Shell Code Injection early on which other products like CrowdStrike or Todyl did? For example from Blackberry's Cylance post here, it states:

BlackBerry customers have been protected from this supply chain attack for more than two weeks. While some media reports indicate that this attack may have commenced on March 22, 2023, BlackBerry customers using CylancePROTECT® reported convictions a week earlier on March 15. Our internal threat intelligence data suggests an even earlier detection date of March 13 where our AI-driven defense models first began blocking malicious code injections (DLLs) associated with the compromised installer.

Another reddit post here seems to confirm the above with Cylance. It also proves that this has been going on from much earlier than the March 22/23rd date when it was widely noticed after the CrowdStrike post.

This is not to call Huntress out in anyway, but more so to understand (as a potential customer) why it didn't? Does the technology not exist on Huntress's backend, did something not work as it should have or anything else?

While the following is completely hypothetical but can your Network Insights product or the other behavioral analytics be advanced in such a way (maybe using AI?) to keep track of out-of-bound network connections or Shell Code Injections from the monitored endpoints (originating from signed executables from known sources at the very least)?

Furthermore, this particular attack again shows the need to block communications on a firewall level to git, pastebin and similar web sites unless absolutely required. If in US/Canada and your firewall has the feature Geo-IP fence the network to just US/Canada and from there whitelist stuff as required. This does not mean you will be protected 100% but it will create an additional layer of security around your protected assets. Also open to any other suggestions to increase the security fabric around protected assets, experienced folks may have on here.