I haven't seen it personally However others are reporting it as separate investigations they have seen the loader execute: https://www.todyl.com/blog/post/threat-advisory-3cx-softphone-telephony-campaign https://www.3cx.com/community/threads/3cx-desktop-app-vulnerability-security-group-contact.119930/ - Reports ESET detected it - possibly using signature / hash from S1 https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558449 - Cortex xdr Paloalto https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558708 - CrowdStrike https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/ - References Sophos
I am pretty confident that if this isn't a malicious actor doing this then 3CX has performed the mother of all response tests on its customers over the past week and should have had a better reply than silence when they were asked about it. Regards Alexander Alexander Neilson Neilson Productions Limited alexan...@neilson.net.nz 021 329 681 022 456 2326 On Thu, 30 Mar 2023 at 17:57, Matthew Mace <matt...@htsol.com.au> wrote: > Can anyone definitively confirm that they’ve personally seen it get picked > up by anything else than S1? > > > > In addition to this anyone that has had it installed at a site and also > run a premium DNS filtering service (Umbrella, DNS Filter etc.) and/or > premium routers with DPI (Sonicwall, Firebox etc.), do you know if they > picked up this traffic and stopped it? I would be hoping so. > > > > Definitely curious to know either way. > > > > > > > > *Matthew Mace* > > > > > > *From:* AusNOG <ausnog-boun...@lists.ausnog.net> *On Behalf Of *Nathan > Brookfield > *Sent:* Thursday, March 30, 2023 2:51 PM > *To:* Christopher Hawker <ch...@thesysadmin.dev>; Greg Lipschitz < > glipsch...@summitinternet.com.au>; Rob Thomas <xro...@gmail.com>; < > ausnog@lists.ausnog.net> <ausnog@lists.ausnog.net> > *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack. > > > > To be fair, they likely don’t know much yet and things are probably pretty > hectic…. Give them time, crisis management is probably only kicking in now. > > > > *From:* AusNOG <ausnog-boun...@lists.ausnog.net> *On Behalf Of *Christopher > Hawker > *Sent:* Thursday, March 30, 2023 3:31 PM > *To:* Greg Lipschitz <glipsch...@summitinternet.com.au>; Rob Thomas < > xro...@gmail.com>; <ausnog@lists.ausnog.net> <ausnog@lists.ausnog.net> > *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack. > > > > It appears their sales team have no info regarding this. Just rang our > Senior AM at 3CX and they've advised that they have no information, and > that they are referring anyone who calls to their technical teams via > support tickets in the 3CX portal. > > > > Not a good look for them. > > > > CH > > > > Get Outlook for Android <https://aka.ms/AAb9ysg> > ------------------------------ > > *From:* AusNOG <ausnog-boun...@lists.ausnog.net> on behalf of Greg > Lipschitz <glipsch...@summitinternet.com.au> > *Sent:* Thursday, March 30, 2023 3:09:45 PM > *To:* Rob Thomas <xro...@gmail.com>; <ausnog@lists.ausnog.net> < > ausnog@lists.ausnog.net> > *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack. > > > > Here is a list of commands (or make a shell script) to stop it phoning > home and getting more payload. > > > > # Disable 3CX Unattended-Upgrades Service > > systemctl stop unattended-upgrades > > > > # Collect the version of 3CX Desktop Apps on the Server > > > > cd /var/lib/3cxpbx/Instance1/Data/Http/electron > > ls -la * > /root/3cx-desktop-versions.log > > > > # Remove the files > > > > rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg > > rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip > > rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi > > rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg > > > > > > > https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5 > > > > > > Sadly, 3CX haven't even acknowledged this yet. > > It would seem that their whole CI-CD pipeline has been compromised > > > > Greg. > > > > > > *Greg Lipschitz*** > > | > > *Founder & CEO* > > | > > *Summit Internet* > > *glipsch...@summitinternet.com.au* <glipsch...@summitinternet.com.au> > > *summitinternet.com.au* <http://summitinternet.com.au> > > *1300 049 749* <1300%20049%20749> > > *Unit 2, 31-39 Norcal Road, Nunawading VIC 3131* > <https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858> > > [image: Summit Internet] <http://summitinternet.com.au/> > > > ------------------------------ > > *From:* AusNOG <ausnog-boun...@lists.ausnog.net> on behalf of Rob Thomas < > xro...@gmail.com> > *Sent:* 30 March 2023 14:54 > *To:* <ausnog@lists.ausnog.net> <ausnog@lists.ausnog.net> > *Subject:* [AusNOG] Critical 3CX Windows/Mac hack. > > > > As no-one's mentioned it here yet, I just thought I'd bring up the > zero-day, in the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps. > > > > If you, or you have clients, running 3CX, make sure they ARE NOT using the > app. If they are, their machines are probably already owned, and all their > stored credentials and session cookies have been leaked. > > > > > https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/ > <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F&data=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D&reserved=0> > > > > This is really bad. Sorry 8-( > > > > --Rob > > > _______________________________________________ > AusNOG mailing list > AusNOG@lists.ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog >
_______________________________________________ AusNOG mailing list AusNOG@lists.ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog