>From a security perspective, the utterly terrifying part of most of these responses boils down to "Oh, must be a glitch in the AV, I'll *whitelist* it so it doesn;t get caught".
Jesus Wept. I'd be bashing heads if anyone in my company even suggested that without a much more thorough investigation! D On Thu, 30 Mar 2023 at 16:08, Alexander Neilson <alexan...@neilson.net.nz> wrote: > I haven't seen it personally > > However others are reporting it as separate investigations they have seen > the loader execute: > > https://www.todyl.com/blog/post/threat-advisory-3cx-softphone-telephony-campaign > > https://www.3cx.com/community/threads/3cx-desktop-app-vulnerability-security-group-contact.119930/ > - Reports ESET detected it - possibly using signature / hash from S1 > > https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558449 > - Cortex xdr Paloalto > > https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558708 > - CrowdStrike > > https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/ > - References Sophos > > > I am pretty confident that if this isn't a malicious actor doing this then > 3CX has performed the mother of all response tests on its customers over > the past week and should have had a better reply than silence when they > were asked about it. > > Regards > Alexander > > Alexander Neilson > Neilson Productions Limited > > alexan...@neilson.net.nz > 021 329 681 > 022 456 2326 > > > On Thu, 30 Mar 2023 at 17:57, Matthew Mace <matt...@htsol.com.au> wrote: > >> Can anyone definitively confirm that they’ve personally seen it get >> picked up by anything else than S1? >> >> >> >> In addition to this anyone that has had it installed at a site and also >> run a premium DNS filtering service (Umbrella, DNS Filter etc.) and/or >> premium routers with DPI (Sonicwall, Firebox etc.), do you know if they >> picked up this traffic and stopped it? I would be hoping so. >> >> >> >> Definitely curious to know either way. >> >> >> >> >> >> >> >> *Matthew Mace* >> >> >> >> >> >> *From:* AusNOG <ausnog-boun...@lists.ausnog.net> *On Behalf Of *Nathan >> Brookfield >> *Sent:* Thursday, March 30, 2023 2:51 PM >> *To:* Christopher Hawker <ch...@thesysadmin.dev>; Greg Lipschitz < >> glipsch...@summitinternet.com.au>; Rob Thomas <xro...@gmail.com>; < >> ausnog@lists.ausnog.net> <ausnog@lists.ausnog.net> >> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack. >> >> >> >> To be fair, they likely don’t know much yet and things are probably >> pretty hectic…. Give them time, crisis management is probably only kicking >> in now. >> >> >> >> *From:* AusNOG <ausnog-boun...@lists.ausnog.net> *On Behalf Of *Christopher >> Hawker >> *Sent:* Thursday, March 30, 2023 3:31 PM >> *To:* Greg Lipschitz <glipsch...@summitinternet.com.au>; Rob Thomas < >> xro...@gmail.com>; <ausnog@lists.ausnog.net> <ausnog@lists.ausnog.net> >> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack. >> >> >> >> It appears their sales team have no info regarding this. Just rang our >> Senior AM at 3CX and they've advised that they have no information, and >> that they are referring anyone who calls to their technical teams via >> support tickets in the 3CX portal. >> >> >> >> Not a good look for them. >> >> >> >> CH >> >> >> >> Get Outlook for Android <https://aka.ms/AAb9ysg> >> ------------------------------ >> >> *From:* AusNOG <ausnog-boun...@lists.ausnog.net> on behalf of Greg >> Lipschitz <glipsch...@summitinternet.com.au> >> *Sent:* Thursday, March 30, 2023 3:09:45 PM >> *To:* Rob Thomas <xro...@gmail.com>; <ausnog@lists.ausnog.net> < >> ausnog@lists.ausnog.net> >> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack. >> >> >> >> Here is a list of commands (or make a shell script) to stop it phoning >> home and getting more payload. >> >> >> >> # Disable 3CX Unattended-Upgrades Service >> >> systemctl stop unattended-upgrades >> >> >> >> # Collect the version of 3CX Desktop Apps on the Server >> >> >> >> cd /var/lib/3cxpbx/Instance1/Data/Http/electron >> >> ls -la * > /root/3cx-desktop-versions.log >> >> >> >> # Remove the files >> >> >> >> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg >> >> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip >> >> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi >> >> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg >> >> >> >> >> >> >> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5 >> >> >> >> >> >> Sadly, 3CX haven't even acknowledged this yet. >> >> It would seem that their whole CI-CD pipeline has been compromised >> >> >> >> Greg. >> >> >> >> >> >> *Greg Lipschitz*** >> >> | >> >> *Founder & CEO* >> >> | >> >> *Summit Internet* >> >> *glipsch...@summitinternet.com.au* <glipsch...@summitinternet.com.au> >> >> *summitinternet.com.au* <http://summitinternet.com.au> >> >> *1300 049 749* <1300%20049%20749> >> >> *Unit 2, 31-39 Norcal Road, Nunawading VIC 3131* >> <https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858> >> >> [image: Summit Internet] <http://summitinternet.com.au/> >> >> >> ------------------------------ >> >> *From:* AusNOG <ausnog-boun...@lists.ausnog.net> on behalf of Rob Thomas >> <xro...@gmail.com> >> *Sent:* 30 March 2023 14:54 >> *To:* <ausnog@lists.ausnog.net> <ausnog@lists.ausnog.net> >> *Subject:* [AusNOG] Critical 3CX Windows/Mac hack. >> >> >> >> As no-one's mentioned it here yet, I just thought I'd bring up the >> zero-day, in the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps. >> >> >> >> If you, or you have clients, running 3CX, make sure they ARE NOT using >> the app. If they are, their machines are probably already owned, and all >> their stored credentials and session cookies have been leaked. >> >> >> >> >> https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/ >> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F&data=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D&reserved=0> >> >> >> >> This is really bad. Sorry 8-( >> >> >> >> --Rob >> >> >> _______________________________________________ >> AusNOG mailing list >> AusNOG@lists.ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> > _______________________________________________ > AusNOG mailing list > AusNOG@lists.ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > -- veg·e·tar·i·an: Ancient tribal slang for the village idiot who can't hunt, fish or ride
_______________________________________________ AusNOG mailing list AusNOG@lists.ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog