Yeah, some of those forum threads are IMPRESSIVELY trainwrecky, I think the most succinct evaluation I've seen is this one; "Seriously. Your EDR tells you that your phone client is behaving like a C2 talking to North Korea, and your response is to put it in the whitelist? Wow..."
On Thu, Mar 30, 2023 at 4:42 PM DaZZa <dazzagi...@gmail.com> wrote: > From a security perspective, the utterly terrifying part of most of these > responses boils down to "Oh, must be a glitch in the AV, I'll *whitelist* > it so it doesn;t get caught". > > Jesus Wept. I'd be bashing heads if anyone in my company even suggested > that without a much more thorough investigation! > > D > > On Thu, 30 Mar 2023 at 16:08, Alexander Neilson <alexan...@neilson.net.nz> > wrote: > >> I haven't seen it personally >> >> However others are reporting it as separate investigations they have seen >> the loader execute: >> >> https://www.todyl.com/blog/post/threat-advisory-3cx-softphone-telephony-campaign >> >> https://www.3cx.com/community/threads/3cx-desktop-app-vulnerability-security-group-contact.119930/ >> - Reports ESET detected it - possibly using signature / hash from S1 >> >> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558449 >> - Cortex xdr Paloalto >> >> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558708 >> - CrowdStrike >> >> https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/ >> - References Sophos >> >> >> I am pretty confident that if this isn't a malicious actor doing this >> then 3CX has performed the mother of all response tests on its customers >> over the past week and should have had a better reply than silence when >> they were asked about it. >> >> Regards >> Alexander >> >> Alexander Neilson >> Neilson Productions Limited >> >> alexan...@neilson.net.nz >> 021 329 681 >> 022 456 2326 >> >> >> On Thu, 30 Mar 2023 at 17:57, Matthew Mace <matt...@htsol.com.au> wrote: >> >>> Can anyone definitively confirm that they’ve personally seen it get >>> picked up by anything else than S1? >>> >>> >>> >>> In addition to this anyone that has had it installed at a site and also >>> run a premium DNS filtering service (Umbrella, DNS Filter etc.) and/or >>> premium routers with DPI (Sonicwall, Firebox etc.), do you know if they >>> picked up this traffic and stopped it? I would be hoping so. >>> >>> >>> >>> Definitely curious to know either way. >>> >>> >>> >>> >>> >>> >>> >>> *Matthew Mace* >>> >>> >>> >>> >>> >>> *From:* AusNOG <ausnog-boun...@lists.ausnog.net> *On Behalf Of *Nathan >>> Brookfield >>> *Sent:* Thursday, March 30, 2023 2:51 PM >>> *To:* Christopher Hawker <ch...@thesysadmin.dev>; Greg Lipschitz < >>> glipsch...@summitinternet.com.au>; Rob Thomas <xro...@gmail.com>; < >>> ausnog@lists.ausnog.net> <ausnog@lists.ausnog.net> >>> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack. >>> >>> >>> >>> To be fair, they likely don’t know much yet and things are probably >>> pretty hectic…. Give them time, crisis management is probably only kicking >>> in now. >>> >>> >>> >>> *From:* AusNOG <ausnog-boun...@lists.ausnog.net> *On Behalf Of *Christopher >>> Hawker >>> *Sent:* Thursday, March 30, 2023 3:31 PM >>> *To:* Greg Lipschitz <glipsch...@summitinternet.com.au>; Rob Thomas < >>> xro...@gmail.com>; <ausnog@lists.ausnog.net> <ausnog@lists.ausnog.net> >>> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack. >>> >>> >>> >>> It appears their sales team have no info regarding this. Just rang our >>> Senior AM at 3CX and they've advised that they have no information, and >>> that they are referring anyone who calls to their technical teams via >>> support tickets in the 3CX portal. >>> >>> >>> >>> Not a good look for them. >>> >>> >>> >>> CH >>> >>> >>> >>> Get Outlook for Android <https://aka.ms/AAb9ysg> >>> ------------------------------ >>> >>> *From:* AusNOG <ausnog-boun...@lists.ausnog.net> on behalf of Greg >>> Lipschitz <glipsch...@summitinternet.com.au> >>> *Sent:* Thursday, March 30, 2023 3:09:45 PM >>> *To:* Rob Thomas <xro...@gmail.com>; <ausnog@lists.ausnog.net> < >>> ausnog@lists.ausnog.net> >>> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack. >>> >>> >>> >>> Here is a list of commands (or make a shell script) to stop it phoning >>> home and getting more payload. >>> >>> >>> >>> # Disable 3CX Unattended-Upgrades Service >>> >>> systemctl stop unattended-upgrades >>> >>> >>> >>> # Collect the version of 3CX Desktop Apps on the Server >>> >>> >>> >>> cd /var/lib/3cxpbx/Instance1/Data/Http/electron >>> >>> ls -la * > /root/3cx-desktop-versions.log >>> >>> >>> >>> # Remove the files >>> >>> >>> >>> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg >>> >>> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip >>> >>> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi >>> >>> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg >>> >>> >>> >>> >>> >>> >>> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5 >>> >>> >>> >>> >>> >>> Sadly, 3CX haven't even acknowledged this yet. >>> >>> It would seem that their whole CI-CD pipeline has been compromised >>> >>> >>> >>> Greg. >>> >>> >>> >>> >>> >>> *Greg Lipschitz*** >>> >>> | >>> >>> *Founder & CEO* >>> >>> | >>> >>> *Summit Internet* >>> >>> *glipsch...@summitinternet.com.au* <glipsch...@summitinternet.com.au> >>> >>> *summitinternet.com.au* <http://summitinternet.com.au> >>> >>> *1300 049 749* <1300%20049%20749> >>> >>> *Unit 2, 31-39 Norcal Road, Nunawading VIC 3131* >>> <https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858> >>> >>> [image: Summit Internet] <http://summitinternet.com.au/> >>> >>> >>> ------------------------------ >>> >>> *From:* AusNOG <ausnog-boun...@lists.ausnog.net> on behalf of Rob >>> Thomas <xro...@gmail.com> >>> *Sent:* 30 March 2023 14:54 >>> *To:* <ausnog@lists.ausnog.net> <ausnog@lists.ausnog.net> >>> *Subject:* [AusNOG] Critical 3CX Windows/Mac hack. >>> >>> >>> >>> As no-one's mentioned it here yet, I just thought I'd bring up the >>> zero-day, in the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps. >>> >>> >>> >>> If you, or you have clients, running 3CX, make sure they ARE NOT using >>> the app. If they are, their machines are probably already owned, and all >>> their stored credentials and session cookies have been leaked. >>> >>> >>> >>> >>> https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/ >>> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F&data=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D&reserved=0> >>> >>> >>> >>> This is really bad. Sorry 8-( >>> >>> >>> >>> --Rob >>> >>> >>> _______________________________________________ >>> AusNOG mailing list >>> AusNOG@lists.ausnog.net >>> https://lists.ausnog.net/mailman/listinfo/ausnog >>> >> _______________________________________________ >> AusNOG mailing list >> AusNOG@lists.ausnog.net >> https://lists.ausnog.net/mailman/listinfo/ausnog >> > > > -- > veg·e·tar·i·an: > Ancient tribal slang for the village idiot who can't hunt, fish or ride > _______________________________________________ > AusNOG mailing list > AusNOG@lists.ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog >
_______________________________________________ AusNOG mailing list AusNOG@lists.ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog