Can anyone definitively confirm that they’ve personally seen it get picked up by anything else than S1?
In addition to this anyone that has had it installed at a site and also run a premium DNS filtering service (Umbrella, DNS Filter etc.) and/or premium routers with DPI (Sonicwall, Firebox etc.), do you know if they picked up this traffic and stopped it? I would be hoping so. Definitely curious to know either way. Matthew Mace From: AusNOG <ausnog-boun...@lists.ausnog.net> On Behalf Of Nathan Brookfield Sent: Thursday, March 30, 2023 2:51 PM To: Christopher Hawker <ch...@thesysadmin.dev>; Greg Lipschitz <glipsch...@summitinternet.com.au>; Rob Thomas <xro...@gmail.com>; <ausnog@lists.ausnog.net> <ausnog@lists.ausnog.net> Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. To be fair, they likely don’t know much yet and things are probably pretty hectic…. Give them time, crisis management is probably only kicking in now. From: AusNOG <ausnog-boun...@lists.ausnog.net<mailto:ausnog-boun...@lists.ausnog.net>> On Behalf Of Christopher Hawker Sent: Thursday, March 30, 2023 3:31 PM To: Greg Lipschitz <glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au>>; Rob Thomas <xro...@gmail.com<mailto:xro...@gmail.com>>; <ausnog@lists.ausnog.net<mailto:ausnog@lists.ausnog.net>> <ausnog@lists.ausnog.net<mailto:ausnog@lists.ausnog.net>> Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. It appears their sales team have no info regarding this. Just rang our Senior AM at 3CX and they've advised that they have no information, and that they are referring anyone who calls to their technical teams via support tickets in the 3CX portal. Not a good look for them. CH Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: AusNOG <ausnog-boun...@lists.ausnog.net<mailto:ausnog-boun...@lists.ausnog.net>> on behalf of Greg Lipschitz <glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au>> Sent: Thursday, March 30, 2023 3:09:45 PM To: Rob Thomas <xro...@gmail.com<mailto:xro...@gmail.com>>; <ausnog@lists.ausnog.net<mailto:ausnog@lists.ausnog.net>> <ausnog@lists.ausnog.net<mailto:ausnog@lists.ausnog.net>> Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. Here is a list of commands (or make a shell script) to stop it phoning home and getting more payload. # Disable 3CX Unattended-Upgrades Service systemctl stop unattended-upgrades # Collect the version of 3CX Desktop Apps on the Server cd /var/lib/3cxpbx/Instance1/Data/Http/electron ls -la * > /root/3cx-desktop-versions.log # Remove the files rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5 Sadly, 3CX haven't even acknowledged this yet. It would seem that their whole CI-CD pipeline has been compromised Greg. Greg Lipschitz | Founder & CEO | Summit Internet glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au> summitinternet.com.au<http://summitinternet.com.au> 1300 049 749<tel:1300%20049%20749> Unit 2, 31-39 Norcal Road, Nunawading VIC 3131<https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858> [cid:image001.png@01D96317.E105C670] [cid:image002.png@01D96317.E105C670] [Summit Internet]<http://summitinternet.com.au/> [cid:image004.png@01D96317.E105C670] ________________________________ From: AusNOG <ausnog-boun...@lists.ausnog.net<mailto:ausnog-boun...@lists.ausnog.net>> on behalf of Rob Thomas <xro...@gmail.com<mailto:xro...@gmail.com>> Sent: 30 March 2023 14:54 To: <ausnog@lists.ausnog.net<mailto:ausnog@lists.ausnog.net>> <ausnog@lists.ausnog.net<mailto:ausnog@lists.ausnog.net>> Subject: [AusNOG] Critical 3CX Windows/Mac hack. As no-one's mentioned it here yet, I just thought I'd bring up the zero-day, in the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps. If you, or you have clients, running 3CX, make sure they ARE NOT using the app. If they are, their machines are probably already owned, and all their stored credentials and session cookies have been leaked. https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F&data=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D&reserved=0> This is really bad. Sorry 8-( --Rob
_______________________________________________ AusNOG mailing list AusNOG@lists.ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog