Re: [AusNOG] Critical 3CX Windows/Mac hack.
Their CEO has posted an update confirming it. https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/ From: AusNOG On Behalf Of Greg Lipschitz Sent: Thursday, March 30, 2023 2:04 PM To: Matthew Mace ; Nathan Brookfield ; Christopher Hawker ; Rob Thomas ; Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. We have the paid whiz bang M365 version (you can tell I use Windows, right!?) When we removed it and then reinstalled it, it grabbed it straight away. Greg Lipschitz | Founder & CEO | Summit Internet glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au> summitinternet.com.au<http://summitinternet.com.au> 1300 049 749 Unit 2, 31-39 Norcal Road, Nunawading VIC 3131<https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858> [cid:image002.png@01D96318.5E590EC0] [cid:image003.png@01D96318.5E590EC0] [Summit Internet]<http://summitinternet.com.au/> [cid:image005.png@01D96318.5E590EC0] From: Matthew Mace mailto:matt...@htsol.com.au>> Sent: 30 March 2023 16:58 To: Greg Lipschitz mailto:glipsch...@summitinternet.com.au>>; Nathan Brookfield mailto:nathan.brookfi...@iperium.com.au>>; Christopher Hawker mailto:ch...@thesysadmin.dev>>; Rob Thomas mailto:xro...@gmail.com>>; mailto:ausnog@lists.ausnog.net>> mailto:ausnog@lists.ausnog.net>> Subject: RE: [AusNOG] Critical 3CX Windows/Mac hack. You don't often get email from matt...@htsol.com.au<mailto:matt...@htsol.com.au>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Interesting! How long ago did it start seeing it and was It standard defender or Endpoint Business? Matthew Mace Director Honest Technology Solutions P: 07 3188 7244 E: matt...@htsol.com.au<mailto:matt...@htsol.com.au> www.htsol.com.au<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.htsol.com.au%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C3e53ff8877ba461ef70508db30e3dcce%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157527457979236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=tvenO4p9FtY%2BA2pdX5DphxarqK7chYbN1Yhlrpm2Tg0%3D=0> "Keeping IT Honest" [cid:image006.png@01D96318.5E590EC0] From: Greg Lipschitz mailto:glipsch...@summitinternet.com.au>> Sent: Thursday, March 30, 2023 3:48 PM To: Matthew Mace mailto:matt...@htsol.com.au>>; Nathan Brookfield mailto:nathan.brookfi...@iperium.com.au>>; Christopher Hawker mailto:ch...@thesysadmin.dev>>; Rob Thomas mailto:xro...@gmail.com>>; mailto:ausnog@lists.ausnog.net>> mailto:ausnog@lists.ausnog.net>> Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. Windows Defender picked it up too. Greg Lipschitz | Founder & CEO | Summit Internet glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au> summitinternet.com.au<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsummitinternet.com.au%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C3e53ff8877ba461ef70508db30e3dcce%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157527457979236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=3EyM3Pd5pii4zx9Xm0aquhVe6cEiWS0sOOmaWXitziM%3D=0> 1300 049 749 Unit 2, 31-39 Norcal Road, Nunawading VIC 3131<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.google.com%2Fmaps%3Fcid%3D12522583051503623677%26_ga%3D2.149009334.1057584350.1554770858-1081443428.1554770858=05%7C01%7Cglipschitz%40summitinternet.com.au%7C3e53ff8877ba461ef70508db30e3dcce%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157527457979236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=d2Lii8liwdK2oyNLUXSbR7C%2BaXm0TmW7dWqFByZyWpU%3D=0> [cid:image002.png@01D96318.5E590EC0] [cid:image003.png@01D96318.5E590EC0] [Summit Internet]<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsummitinternet.com.au%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C3e53ff8877ba461ef70508db30e3dcce%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157527457979236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=3EyM3Pd5pii4zx9Xm0aquhVe6cEiWS0sOOmaWXitziM%3D=0> [cid:image005.png@01D96318.5E590EC0] From: Matthew Mace mailto:matt...@htsol.com.au>> Sent: 30 March 2023 15:57 To: Nathan Brookfield mailto:nathan.brookfi...@iperium.com.au>>; Christopher Hawker mailto:ch...@thesysadmin.dev>>; Greg Lipschitz mailto:glipsch...@summitinternet.com.au>>; Rob Thomas mailto:xro...@gmail.com>>; mailto:ausnog@lists.ausnog.net>> m
Re: [AusNOG] Critical 3CX Windows/Mac hack.
We have the paid whiz bang M365 version (you can tell I use Windows, right!?) When we removed it and then reinstalled it, it grabbed it straight away. Greg Lipschitz | Founder & CEO | Summit Internet glipsch...@summitinternet.com.au summitinternet.com.au 1300 049 749 Unit 2, 31-39 Norcal Road, Nunawading VIC 3131 Summit Internet From: Matthew Mace Sent: 30 March 2023 16:58 To: Greg Lipschitz ; Nathan Brookfield ; Christopher Hawker ; Rob Thomas ; Subject: RE: [AusNOG] Critical 3CX Windows/Mac hack. You don't often get email from matt...@htsol.com.au. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Interesting! How long ago did it start seeing it and was It standard defender or Endpoint Business? Matthew Mace Director Honest Technology Solutions P: 07 3188 7244 E: matt...@htsol.com.au<mailto:matt...@htsol.com.au> www.htsol.com.au<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.htsol.com.au%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C3e53ff8877ba461ef70508db30e3dcce%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157527457979236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=tvenO4p9FtY%2BA2pdX5DphxarqK7chYbN1Yhlrpm2Tg0%3D=0> "Keeping IT Honest" [cid:image001.png@01D96320.88ED0BC0] From: Greg Lipschitz Sent: Thursday, March 30, 2023 3:48 PM To: Matthew Mace ; Nathan Brookfield ; Christopher Hawker ; Rob Thomas ; Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. Windows Defender picked it up too. Greg Lipschitz | Founder & CEO | Summit Internet glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au> summitinternet.com.au<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsummitinternet.com.au%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C3e53ff8877ba461ef70508db30e3dcce%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157527457979236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=3EyM3Pd5pii4zx9Xm0aquhVe6cEiWS0sOOmaWXitziM%3D=0> 1300 049 749 Unit 2, 31-39 Norcal Road, Nunawading VIC 3131<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.google.com%2Fmaps%3Fcid%3D12522583051503623677%26_ga%3D2.149009334.1057584350.1554770858-1081443428.1554770858=05%7C01%7Cglipschitz%40summitinternet.com.au%7C3e53ff8877ba461ef70508db30e3dcce%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157527457979236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=d2Lii8liwdK2oyNLUXSbR7C%2BaXm0TmW7dWqFByZyWpU%3D=0> [cid:image002.png@01D96320.88ED0BC0] [cid:image003.png@01D96320.88ED0BC0] [Summit Internet]<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsummitinternet.com.au%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C3e53ff8877ba461ef70508db30e3dcce%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157527457979236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=3EyM3Pd5pii4zx9Xm0aquhVe6cEiWS0sOOmaWXitziM%3D=0> [cid:image005.png@01D96320.88ED0BC0] From: Matthew Mace Sent: 30 March 2023 15:57 To: Nathan Brookfield ; Christopher Hawker ; Greg Lipschitz ; Rob Thomas ; Subject: RE: [AusNOG] Critical 3CX Windows/Mac hack. You don't often get email from matt...@htsol.com.au. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Can anyone definitively confirm that they’ve personally seen it get picked up by anything else than S1? In addition to this anyone that has had it installed at a site and also run a premium DNS filtering service (Umbrella, DNS Filter etc.) and/or premium routers with DPI (Sonicwall, Firebox etc.), do you know if they picked up this traffic and stopped it? I would be hoping so. Definitely curious to know either way. Matthew Mace From: AusNOG On Behalf Of Nathan Brookfield Sent: Thursday, March 30, 2023 2:51 PM To: Christopher Hawker ; Greg Lipschitz ; Rob Thomas ; Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. To be fair, they likely don’t know much yet and things are probably pretty hectic…. Give them time, crisis management is probably only kicking in now. From: AusNOG mailto:ausnog-boun...@lists.ausnog.net>> On Behalf Of Christopher Hawker Sent: Thursday, March 30, 2023 3:31 PM To: Greg Lipschitz mailto:glipsch...@summitinternet.com.au>>; Rob Thomas mailto:xro...@gmail.com>>; mailto:ausnog@lists.ausnog.net>> mailto:ausnog@lists.ausnog.net>> Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. It appears their sales team have no info regarding this. Just rang our Senior AM at 3CX and they've advised that they have no information, and that they
Re: [AusNOG] Critical 3CX Windows/Mac hack.
Interesting! How long ago did it start seeing it and was It standard defender or Endpoint Business? Matthew Mace Director Honest Technology Solutions P: 07 3188 7244 E: matt...@htsol.com.au<mailto:matt...@htsol.com.au> www.htsol.com.au<http://www.htsol.com.au/> "Keeping IT Honest" [cid:image001.png@01D96320.88ED0BC0] From: Greg Lipschitz Sent: Thursday, March 30, 2023 3:48 PM To: Matthew Mace ; Nathan Brookfield ; Christopher Hawker ; Rob Thomas ; Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. Windows Defender picked it up too. Greg Lipschitz | Founder & CEO | Summit Internet glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au> summitinternet.com.au<http://summitinternet.com.au> 1300 049 749 Unit 2, 31-39 Norcal Road, Nunawading VIC 3131<https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858> [cid:image002.png@01D96320.88ED0BC0] [cid:image003.png@01D96320.88ED0BC0] [Summit Internet]<http://summitinternet.com.au/> [cid:image005.png@01D96320.88ED0BC0] From: Matthew Mace Sent: 30 March 2023 15:57 To: Nathan Brookfield ; Christopher Hawker ; Greg Lipschitz ; Rob Thomas ; Subject: RE: [AusNOG] Critical 3CX Windows/Mac hack. You don't often get email from matt...@htsol.com.au. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Can anyone definitively confirm that they’ve personally seen it get picked up by anything else than S1? In addition to this anyone that has had it installed at a site and also run a premium DNS filtering service (Umbrella, DNS Filter etc.) and/or premium routers with DPI (Sonicwall, Firebox etc.), do you know if they picked up this traffic and stopped it? I would be hoping so. Definitely curious to know either way. Matthew Mace From: AusNOG On Behalf Of Nathan Brookfield Sent: Thursday, March 30, 2023 2:51 PM To: Christopher Hawker ; Greg Lipschitz ; Rob Thomas ; Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. To be fair, they likely don’t know much yet and things are probably pretty hectic…. Give them time, crisis management is probably only kicking in now. From: AusNOG mailto:ausnog-boun...@lists.ausnog.net>> On Behalf Of Christopher Hawker Sent: Thursday, March 30, 2023 3:31 PM To: Greg Lipschitz mailto:glipsch...@summitinternet.com.au>>; Rob Thomas mailto:xro...@gmail.com>>; mailto:ausnog@lists.ausnog.net>> mailto:ausnog@lists.ausnog.net>> Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. It appears their sales team have no info regarding this. Just rang our Senior AM at 3CX and they've advised that they have no information, and that they are referring anyone who calls to their technical teams via support tickets in the 3CX portal. Not a good look for them. CH Get Outlook for Android<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FAAb9ysg=05%7C01%7Cglipschitz%40summitinternet.com.au%7C28ab046f470a4f19932b08db30db3490%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157490273890466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=LeXZsLN4cUATWMtiKqKRMgdDICBmFCmTUpQ3wZ%2FBGK4%3D=0> From: AusNOG mailto:ausnog-boun...@lists.ausnog.net>> on behalf of Greg Lipschitz mailto:glipsch...@summitinternet.com.au>> Sent: Thursday, March 30, 2023 3:09:45 PM To: Rob Thomas mailto:xro...@gmail.com>>; mailto:ausnog@lists.ausnog.net>> mailto:ausnog@lists.ausnog.net>> Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. Here is a list of commands (or make a shell script) to stop it phoning home and getting more payload. # Disable 3CX Unattended-Upgrades Service systemctl stop unattended-upgrades # Collect the version of 3CX Desktop Apps on the Server cd /var/lib/3cxpbx/Instance1/Data/Http/electron ls -la * > /root/3cx-desktop-versions.log # Remove the files rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.3cx.com%2Fcommunity%2Fthreads%2Fthreat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806%2Fpage-5=05%7C01%7Cglipschitz%40summitinternet.com.au%7C28ab046f470a4f19932b08db30db3490%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157490273890466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=gBvUcr9Pk
Re: [AusNOG] Critical 3CX Windows/Mac hack.
Yeah, some of those forum threads are IMPRESSIVELY trainwrecky, I think the most succinct evaluation I've seen is this one; "Seriously. Your EDR tells you that your phone client is behaving like a C2 talking to North Korea, and your response is to put it in the whitelist? Wow..." On Thu, Mar 30, 2023 at 4:42 PM DaZZa wrote: > From a security perspective, the utterly terrifying part of most of these > responses boils down to "Oh, must be a glitch in the AV, I'll *whitelist* > it so it doesn;t get caught". > > Jesus Wept. I'd be bashing heads if anyone in my company even suggested > that without a much more thorough investigation! > > D > > On Thu, 30 Mar 2023 at 16:08, Alexander Neilson > wrote: > >> I haven't seen it personally >> >> However others are reporting it as separate investigations they have seen >> the loader execute: >> >> https://www.todyl.com/blog/post/threat-advisory-3cx-softphone-telephony-campaign >> >> https://www.3cx.com/community/threads/3cx-desktop-app-vulnerability-security-group-contact.119930/ >> - Reports ESET detected it - possibly using signature / hash from S1 >> >> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558449 >> - Cortex xdr Paloalto >> >> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558708 >> - CrowdStrike >> >> https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/ >> - References Sophos >> >> >> I am pretty confident that if this isn't a malicious actor doing this >> then 3CX has performed the mother of all response tests on its customers >> over the past week and should have had a better reply than silence when >> they were asked about it. >> >> Regards >> Alexander >> >> Alexander Neilson >> Neilson Productions Limited >> >> alexan...@neilson.net.nz >> 021 329 681 >> 022 456 2326 >> >> >> On Thu, 30 Mar 2023 at 17:57, Matthew Mace wrote: >> >>> Can anyone definitively confirm that they’ve personally seen it get >>> picked up by anything else than S1? >>> >>> >>> >>> In addition to this anyone that has had it installed at a site and also >>> run a premium DNS filtering service (Umbrella, DNS Filter etc.) and/or >>> premium routers with DPI (Sonicwall, Firebox etc.), do you know if they >>> picked up this traffic and stopped it? I would be hoping so. >>> >>> >>> >>> Definitely curious to know either way. >>> >>> >>> >>> >>> >>> >>> >>> *Matthew Mace* >>> >>> >>> >>> >>> >>> *From:* AusNOG *On Behalf Of *Nathan >>> Brookfield >>> *Sent:* Thursday, March 30, 2023 2:51 PM >>> *To:* Christopher Hawker ; Greg Lipschitz < >>> glipsch...@summitinternet.com.au>; Rob Thomas ; < >>> ausnog@lists.ausnog.net> >>> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack. >>> >>> >>> >>> To be fair, they likely don’t know much yet and things are probably >>> pretty hectic…. Give them time, crisis management is probably only kicking >>> in now. >>> >>> >>> >>> *From:* AusNOG *On Behalf Of *Christopher >>> Hawker >>> *Sent:* Thursday, March 30, 2023 3:31 PM >>> *To:* Greg Lipschitz ; Rob Thomas < >>> xro...@gmail.com>; >>> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack. >>> >>> >>> >>> It appears their sales team have no info regarding this. Just rang our >>> Senior AM at 3CX and they've advised that they have no information, and >>> that they are referring anyone who calls to their technical teams via >>> support tickets in the 3CX portal. >>> >>> >>> >>> Not a good look for them. >>> >>> >>> >>> CH >>> >>> >>> >>> Get Outlook for Android <https://aka.ms/AAb9ysg> >>> -- >>> >>> *From:* AusNOG on behalf of Greg >>> Lipschitz >>> *Sent:* Thursday, March 30, 2023 3:09:45 PM >>> *To:* Rob Thomas ; < >>> ausnog@lists.ausnog.net> >>> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack. >>> >>> >>> >>> Here i
Re: [AusNOG] Critical 3CX Windows/Mac hack.
Windows Defender picked it up too. Greg Lipschitz | Founder & CEO | Summit Internet glipsch...@summitinternet.com.au summitinternet.com.au 1300 049 749 Unit 2, 31-39 Norcal Road, Nunawading VIC 3131 Summit Internet From: Matthew Mace Sent: 30 March 2023 15:57 To: Nathan Brookfield ; Christopher Hawker ; Greg Lipschitz ; Rob Thomas ; Subject: RE: [AusNOG] Critical 3CX Windows/Mac hack. You don't often get email from matt...@htsol.com.au. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Can anyone definitively confirm that they’ve personally seen it get picked up by anything else than S1? In addition to this anyone that has had it installed at a site and also run a premium DNS filtering service (Umbrella, DNS Filter etc.) and/or premium routers with DPI (Sonicwall, Firebox etc.), do you know if they picked up this traffic and stopped it? I would be hoping so. Definitely curious to know either way. Matthew Mace From: AusNOG On Behalf Of Nathan Brookfield Sent: Thursday, March 30, 2023 2:51 PM To: Christopher Hawker ; Greg Lipschitz ; Rob Thomas ; Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. To be fair, they likely don’t know much yet and things are probably pretty hectic…. Give them time, crisis management is probably only kicking in now. From: AusNOG mailto:ausnog-boun...@lists.ausnog.net>> On Behalf Of Christopher Hawker Sent: Thursday, March 30, 2023 3:31 PM To: Greg Lipschitz mailto:glipsch...@summitinternet.com.au>>; Rob Thomas mailto:xro...@gmail.com>>; mailto:ausnog@lists.ausnog.net>> mailto:ausnog@lists.ausnog.net>> Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. It appears their sales team have no info regarding this. Just rang our Senior AM at 3CX and they've advised that they have no information, and that they are referring anyone who calls to their technical teams via support tickets in the 3CX portal. Not a good look for them. CH Get Outlook for Android<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FAAb9ysg=05%7C01%7Cglipschitz%40summitinternet.com.au%7C28ab046f470a4f19932b08db30db3490%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157490273890466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=LeXZsLN4cUATWMtiKqKRMgdDICBmFCmTUpQ3wZ%2FBGK4%3D=0> From: AusNOG mailto:ausnog-boun...@lists.ausnog.net>> on behalf of Greg Lipschitz mailto:glipsch...@summitinternet.com.au>> Sent: Thursday, March 30, 2023 3:09:45 PM To: Rob Thomas mailto:xro...@gmail.com>>; mailto:ausnog@lists.ausnog.net>> mailto:ausnog@lists.ausnog.net>> Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. Here is a list of commands (or make a shell script) to stop it phoning home and getting more payload. # Disable 3CX Unattended-Upgrades Service systemctl stop unattended-upgrades # Collect the version of 3CX Desktop Apps on the Server cd /var/lib/3cxpbx/Instance1/Data/Http/electron ls -la * > /root/3cx-desktop-versions.log # Remove the files rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.3cx.com%2Fcommunity%2Fthreads%2Fthreat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806%2Fpage-5=05%7C01%7Cglipschitz%40summitinternet.com.au%7C28ab046f470a4f19932b08db30db3490%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157490273890466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=gBvUcr9Pkokg10aeP864qVSsMZDg6KE%2FuuDUDi2imtE%3D=0> Sadly, 3CX haven't even acknowledged this yet. It would seem that their whole CI-CD pipeline has been compromised Greg. Greg Lipschitz | Founder & CEO | Summit Internet glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au> summitinternet.com.au<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsummitinternet.com.au%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C28ab046f470a4f19932b08db30db3490%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157490273890466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=zO2mC4vUjaIW7YOuPf7i45hrukQ5fRzyFikE1GWDZjQ%3D=0> 1300 049 749 Unit 2, 31-39 Norcal Road, Nunawading VIC 3131<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.google.com%2Fmaps%3Fcid%3D1
Re: [AusNOG] Critical 3CX Windows/Mac hack.
>From a security perspective, the utterly terrifying part of most of these responses boils down to "Oh, must be a glitch in the AV, I'll *whitelist* it so it doesn;t get caught". Jesus Wept. I'd be bashing heads if anyone in my company even suggested that without a much more thorough investigation! D On Thu, 30 Mar 2023 at 16:08, Alexander Neilson wrote: > I haven't seen it personally > > However others are reporting it as separate investigations they have seen > the loader execute: > > https://www.todyl.com/blog/post/threat-advisory-3cx-softphone-telephony-campaign > > https://www.3cx.com/community/threads/3cx-desktop-app-vulnerability-security-group-contact.119930/ > - Reports ESET detected it - possibly using signature / hash from S1 > > https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558449 > - Cortex xdr Paloalto > > https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558708 > - CrowdStrike > > https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/ > - References Sophos > > > I am pretty confident that if this isn't a malicious actor doing this then > 3CX has performed the mother of all response tests on its customers over > the past week and should have had a better reply than silence when they > were asked about it. > > Regards > Alexander > > Alexander Neilson > Neilson Productions Limited > > alexan...@neilson.net.nz > 021 329 681 > 022 456 2326 > > > On Thu, 30 Mar 2023 at 17:57, Matthew Mace wrote: > >> Can anyone definitively confirm that they’ve personally seen it get >> picked up by anything else than S1? >> >> >> >> In addition to this anyone that has had it installed at a site and also >> run a premium DNS filtering service (Umbrella, DNS Filter etc.) and/or >> premium routers with DPI (Sonicwall, Firebox etc.), do you know if they >> picked up this traffic and stopped it? I would be hoping so. >> >> >> >> Definitely curious to know either way. >> >> >> >> >> >> >> >> *Matthew Mace* >> >> >> >> >> >> *From:* AusNOG *On Behalf Of *Nathan >> Brookfield >> *Sent:* Thursday, March 30, 2023 2:51 PM >> *To:* Christopher Hawker ; Greg Lipschitz < >> glipsch...@summitinternet.com.au>; Rob Thomas ; < >> ausnog@lists.ausnog.net> >> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack. >> >> >> >> To be fair, they likely don’t know much yet and things are probably >> pretty hectic…. Give them time, crisis management is probably only kicking >> in now. >> >> >> >> *From:* AusNOG *On Behalf Of *Christopher >> Hawker >> *Sent:* Thursday, March 30, 2023 3:31 PM >> *To:* Greg Lipschitz ; Rob Thomas < >> xro...@gmail.com>; >> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack. >> >> >> >> It appears their sales team have no info regarding this. Just rang our >> Senior AM at 3CX and they've advised that they have no information, and >> that they are referring anyone who calls to their technical teams via >> support tickets in the 3CX portal. >> >> >> >> Not a good look for them. >> >> >> >> CH >> >> >> >> Get Outlook for Android <https://aka.ms/AAb9ysg> >> -- >> >> *From:* AusNOG on behalf of Greg >> Lipschitz >> *Sent:* Thursday, March 30, 2023 3:09:45 PM >> *To:* Rob Thomas ; < >> ausnog@lists.ausnog.net> >> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack. >> >> >> >> Here is a list of commands (or make a shell script) to stop it phoning >> home and getting more payload. >> >> >> >> # Disable 3CX Unattended-Upgrades Service >> >> systemctl stop unattended-upgrades >> >> >> >> # Collect the version of 3CX Desktop Apps on the Server >> >> >> >> cd /var/lib/3cxpbx/Instance1/Data/Http/electron >> >> ls -la * > /root/3cx-desktop-versions.log >> >> >> >> # Remove the files >> >> >> >> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg >> >> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip >> >> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi >> >> rm -rf /var/lib/3cxpbx/Instance1/Da
Re: [AusNOG] Critical 3CX Windows/Mac hack.
Confirmed now at least... https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558899 ___ AusNOG mailing list AusNOG@lists.ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog
Re: [AusNOG] Critical 3CX Windows/Mac hack.
I haven't seen it personally However others are reporting it as separate investigations they have seen the loader execute: https://www.todyl.com/blog/post/threat-advisory-3cx-softphone-telephony-campaign https://www.3cx.com/community/threads/3cx-desktop-app-vulnerability-security-group-contact.119930/ - Reports ESET detected it - possibly using signature / hash from S1 https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558449 - Cortex xdr Paloalto https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558708 - CrowdStrike https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/ - References Sophos I am pretty confident that if this isn't a malicious actor doing this then 3CX has performed the mother of all response tests on its customers over the past week and should have had a better reply than silence when they were asked about it. Regards Alexander Alexander Neilson Neilson Productions Limited alexan...@neilson.net.nz 021 329 681 022 456 2326 On Thu, 30 Mar 2023 at 17:57, Matthew Mace wrote: > Can anyone definitively confirm that they’ve personally seen it get picked > up by anything else than S1? > > > > In addition to this anyone that has had it installed at a site and also > run a premium DNS filtering service (Umbrella, DNS Filter etc.) and/or > premium routers with DPI (Sonicwall, Firebox etc.), do you know if they > picked up this traffic and stopped it? I would be hoping so. > > > > Definitely curious to know either way. > > > > > > > > *Matthew Mace* > > > > > > *From:* AusNOG *On Behalf Of *Nathan > Brookfield > *Sent:* Thursday, March 30, 2023 2:51 PM > *To:* Christopher Hawker ; Greg Lipschitz < > glipsch...@summitinternet.com.au>; Rob Thomas ; < > ausnog@lists.ausnog.net> > *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack. > > > > To be fair, they likely don’t know much yet and things are probably pretty > hectic…. Give them time, crisis management is probably only kicking in now. > > > > *From:* AusNOG *On Behalf Of *Christopher > Hawker > *Sent:* Thursday, March 30, 2023 3:31 PM > *To:* Greg Lipschitz ; Rob Thomas < > xro...@gmail.com>; > *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack. > > > > It appears their sales team have no info regarding this. Just rang our > Senior AM at 3CX and they've advised that they have no information, and > that they are referring anyone who calls to their technical teams via > support tickets in the 3CX portal. > > > > Not a good look for them. > > > > CH > > > > Get Outlook for Android <https://aka.ms/AAb9ysg> > ------ > > *From:* AusNOG on behalf of Greg > Lipschitz > *Sent:* Thursday, March 30, 2023 3:09:45 PM > *To:* Rob Thomas ; < > ausnog@lists.ausnog.net> > *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack. > > > > Here is a list of commands (or make a shell script) to stop it phoning > home and getting more payload. > > > > # Disable 3CX Unattended-Upgrades Service > > systemctl stop unattended-upgrades > > > > # Collect the version of 3CX Desktop Apps on the Server > > > > cd /var/lib/3cxpbx/Instance1/Data/Http/electron > > ls -la * > /root/3cx-desktop-versions.log > > > > # Remove the files > > > > rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg > > rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip > > rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi > > rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg > > > > > > > https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5 > > > > > > Sadly, 3CX haven't even acknowledged this yet. > > It would seem that their whole CI-CD pipeline has been compromised > > > > Greg. > > > > > > *Greg Lipschitz*** > > | > > *Founder & CEO* > > | > > *Summit Internet* > > *glipsch...@summitinternet.com.au* > > *summitinternet.com.au* <http://summitinternet.com.au> > > *1300 049 749* <1300%20049%20749> > > *Unit 2, 31-39 Norcal Road, Nunawading VIC 3131* > <https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858> > > [image: Summit Internet] <http://summitinternet.com.au/> > > > -- > > *
Re: [AusNOG] Critical 3CX Windows/Mac hack.
Can anyone definitively confirm that they’ve personally seen it get picked up by anything else than S1? In addition to this anyone that has had it installed at a site and also run a premium DNS filtering service (Umbrella, DNS Filter etc.) and/or premium routers with DPI (Sonicwall, Firebox etc.), do you know if they picked up this traffic and stopped it? I would be hoping so. Definitely curious to know either way. Matthew Mace From: AusNOG On Behalf Of Nathan Brookfield Sent: Thursday, March 30, 2023 2:51 PM To: Christopher Hawker ; Greg Lipschitz ; Rob Thomas ; Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. To be fair, they likely don’t know much yet and things are probably pretty hectic…. Give them time, crisis management is probably only kicking in now. From: AusNOG mailto:ausnog-boun...@lists.ausnog.net>> On Behalf Of Christopher Hawker Sent: Thursday, March 30, 2023 3:31 PM To: Greg Lipschitz mailto:glipsch...@summitinternet.com.au>>; Rob Thomas mailto:xro...@gmail.com>>; mailto:ausnog@lists.ausnog.net>> mailto:ausnog@lists.ausnog.net>> Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. It appears their sales team have no info regarding this. Just rang our Senior AM at 3CX and they've advised that they have no information, and that they are referring anyone who calls to their technical teams via support tickets in the 3CX portal. Not a good look for them. CH Get Outlook for Android<https://aka.ms/AAb9ysg> From: AusNOG mailto:ausnog-boun...@lists.ausnog.net>> on behalf of Greg Lipschitz mailto:glipsch...@summitinternet.com.au>> Sent: Thursday, March 30, 2023 3:09:45 PM To: Rob Thomas mailto:xro...@gmail.com>>; mailto:ausnog@lists.ausnog.net>> mailto:ausnog@lists.ausnog.net>> Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. Here is a list of commands (or make a shell script) to stop it phoning home and getting more payload. # Disable 3CX Unattended-Upgrades Service systemctl stop unattended-upgrades # Collect the version of 3CX Desktop Apps on the Server cd /var/lib/3cxpbx/Instance1/Data/Http/electron ls -la * > /root/3cx-desktop-versions.log # Remove the files rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5 Sadly, 3CX haven't even acknowledged this yet. It would seem that their whole CI-CD pipeline has been compromised Greg. Greg Lipschitz | Founder & CEO | Summit Internet glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au> summitinternet.com.au<http://summitinternet.com.au> 1300 049 749 Unit 2, 31-39 Norcal Road, Nunawading VIC 3131<https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858> [cid:image001.png@01D96317.E105C670] [cid:image002.png@01D96317.E105C670] [Summit Internet]<http://summitinternet.com.au/> [cid:image004.png@01D96317.E105C670] From: AusNOG mailto:ausnog-boun...@lists.ausnog.net>> on behalf of Rob Thomas mailto:xro...@gmail.com>> Sent: 30 March 2023 14:54 To: mailto:ausnog@lists.ausnog.net>> mailto:ausnog@lists.ausnog.net>> Subject: [AusNOG] Critical 3CX Windows/Mac hack. As no-one's mentioned it here yet, I just thought I'd bring up the zero-day, in the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps. If you, or you have clients, running 3CX, make sure they ARE NOT using the app. If they are, their machines are probably already owned, and all their stored credentials and session cookies have been leaked. https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D=0> This is really bad. Sorry 8-( --Rob ___ AusNOG mailing list AusNOG@lists.ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog
Re: [AusNOG] Critical 3CX Windows/Mac hack.
To be fair, they likely don’t know much yet and things are probably pretty hectic…. Give them time, crisis management is probably only kicking in now. From: AusNOG On Behalf Of Christopher Hawker Sent: Thursday, March 30, 2023 3:31 PM To: Greg Lipschitz ; Rob Thomas ; Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. It appears their sales team have no info regarding this. Just rang our Senior AM at 3CX and they've advised that they have no information, and that they are referring anyone who calls to their technical teams via support tickets in the 3CX portal. Not a good look for them. CH Get Outlook for Android<https://aka.ms/AAb9ysg> From: AusNOG mailto:ausnog-boun...@lists.ausnog.net>> on behalf of Greg Lipschitz mailto:glipsch...@summitinternet.com.au>> Sent: Thursday, March 30, 2023 3:09:45 PM To: Rob Thomas mailto:xro...@gmail.com>>; mailto:ausnog@lists.ausnog.net>> mailto:ausnog@lists.ausnog.net>> Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. Here is a list of commands (or make a shell script) to stop it phoning home and getting more payload. # Disable 3CX Unattended-Upgrades Service systemctl stop unattended-upgrades # Collect the version of 3CX Desktop Apps on the Server cd /var/lib/3cxpbx/Instance1/Data/Http/electron ls -la * > /root/3cx-desktop-versions.log # Remove the files rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5 Sadly, 3CX haven't even acknowledged this yet. It would seem that their whole CI-CD pipeline has been compromised Greg. Greg Lipschitz | Founder & CEO | Summit Internet glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au> summitinternet.com.au<http://summitinternet.com.au> 1300 049 749 Unit 2, 31-39 Norcal Road, Nunawading VIC 3131<https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858> [cid:image001.png@01D9631F.70B4E6A0] [cid:image002.png@01D9631F.70B4E6A0] [Summit Internet]<http://summitinternet.com.au/> [cid:image004.png@01D9631F.70B4E6A0] From: AusNOG mailto:ausnog-boun...@lists.ausnog.net>> on behalf of Rob Thomas mailto:xro...@gmail.com>> Sent: 30 March 2023 14:54 To: mailto:ausnog@lists.ausnog.net>> mailto:ausnog@lists.ausnog.net>> Subject: [AusNOG] Critical 3CX Windows/Mac hack. As no-one's mentioned it here yet, I just thought I'd bring up the zero-day, in the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps. If you, or you have clients, running 3CX, make sure they ARE NOT using the app. If they are, their machines are probably already owned, and all their stored credentials and session cookies have been leaked. https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D=0> This is really bad. Sorry 8-( --Rob ___ AusNOG mailing list AusNOG@lists.ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog
Re: [AusNOG] Critical 3CX Windows/Mac hack.
They've pulled the installers from their website and refer people to the web client...which is not much of a start... On 2023-03-30 14:09 Greg Lipschitz wrote: > Here is a list of commands (or make a shell script) to stop it phoning home > and getting more payload. > > # Disable 3CX Unattended-Upgrades Service > > systemctl stop unattended-upgrades > > # Collect the version of 3CX Desktop Apps on the Server > > cd /var/lib/3cxpbx/Instance1/Data/Http/electron > ls -la * > /root/3cx-desktop-versions.log > > # Remove the files > > rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg > rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip > rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi > rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg > > > https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5 > > > Sadly, 3CX haven't even acknowledged this yet. > It would seem that their whole CI-CD pipeline has been compromised > > Greg. > > > > Greg Lipschitz > | > Founder & CEO > | > Summit Internet > *glipsch...@summitinternet.com.au* > *summitinternet.com.au* > *1300 049 749* > *Unit 2, 31-39 Norcal Road, Nunawading VIC 3131* > <https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858> > > > Summit Internet <http://summitinternet.com.au/> > > > > *From:* AusNOG on behalf of Rob Thomas > > *Sent:* 30 March 2023 14:54 > *To:* > *Subject:* [AusNOG] Critical 3CX Windows/Mac hack. > > As no-one's mentioned it here yet, I just thought I'd bring up the zero-day, > in the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps. > > If you, or you have clients, running 3CX, make sure they ARE NOT using the > app. If they are, their machines are probably already owned, and all their > stored credentials and session cookies have been leaked. > > https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/ > > <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D=0> > > This is really bad. Sorry 8-( > > --Rob > > ___ > AusNOG mailing list > AusNOG@lists.ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog > ___ AusNOG mailing list AusNOG@lists.ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog
Re: [AusNOG] Critical 3CX Windows/Mac hack.
It appears their sales team have no info regarding this. Just rang our Senior AM at 3CX and they've advised that they have no information, and that they are referring anyone who calls to their technical teams via support tickets in the 3CX portal. Not a good look for them. CH Get Outlook for Android<https://aka.ms/AAb9ysg> From: AusNOG on behalf of Greg Lipschitz Sent: Thursday, March 30, 2023 3:09:45 PM To: Rob Thomas ; Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack. Here is a list of commands (or make a shell script) to stop it phoning home and getting more payload. # Disable 3CX Unattended-Upgrades Service systemctl stop unattended-upgrades # Collect the version of 3CX Desktop Apps on the Server cd /var/lib/3cxpbx/Instance1/Data/Http/electron ls -la * > /root/3cx-desktop-versions.log # Remove the files rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5 Sadly, 3CX haven't even acknowledged this yet. It would seem that their whole CI-CD pipeline has been compromised Greg. Greg Lipschitz | Founder & CEO| Summit Internet glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au> summitinternet.com.au<http://summitinternet.com.au> 1300 049 749 Unit 2, 31-39 Norcal Road, Nunawading VIC 3131<https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858> [cid:image587573.png@9D56C314.E6D7594C] [cid:image244471.png@C75A89D0.8905FE7F] [Summit Internet]<http://summitinternet.com.au> [cid:image891048.png@51ACA080.56DCC416] From: AusNOG on behalf of Rob Thomas Sent: 30 March 2023 14:54 To: Subject: [AusNOG] Critical 3CX Windows/Mac hack. As no-one's mentioned it here yet, I just thought I'd bring up the zero-day, in the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps. If you, or you have clients, running 3CX, make sure they ARE NOT using the app. If they are, their machines are probably already owned, and all their stored credentials and session cookies have been leaked. https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D=0> This is really bad. Sorry 8-( --Rob ___ AusNOG mailing list AusNOG@lists.ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog
Re: [AusNOG] Critical 3CX Windows/Mac hack.
Here is a list of commands (or make a shell script) to stop it phoning home and getting more payload. # Disable 3CX Unattended-Upgrades Service systemctl stop unattended-upgrades # Collect the version of 3CX Desktop Apps on the Server cd /var/lib/3cxpbx/Instance1/Data/Http/electron ls -la * > /root/3cx-desktop-versions.log # Remove the files rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5 Sadly, 3CX haven't even acknowledged this yet. It would seem that their whole CI-CD pipeline has been compromised Greg. Greg Lipschitz | Founder & CEO | Summit Internet glipsch...@summitinternet.com.au summitinternet.com.au 1300 049 749 Unit 2, 31-39 Norcal Road, Nunawading VIC 3131 Summit Internet From: AusNOG on behalf of Rob Thomas Sent: 30 March 2023 14:54 To: Subject: [AusNOG] Critical 3CX Windows/Mac hack. As no-one's mentioned it here yet, I just thought I'd bring up the zero-day, in the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps. If you, or you have clients, running 3CX, make sure they ARE NOT using the app. If they are, their machines are probably already owned, and all their stored credentials and session cookies have been leaked. https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D=0> This is really bad. Sorry 8-( --Rob ___ AusNOG mailing list AusNOG@lists.ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog
[AusNOG] Critical 3CX Windows/Mac hack.
As no-one's mentioned it here yet, I just thought I'd bring up the zero-day, in the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps. If you, or you have clients, running 3CX, make sure they ARE NOT using the app. If they are, their machines are probably already owned, and all their stored credentials and session cookies have been leaked. https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/ This is really bad. Sorry 8-( --Rob ___ AusNOG mailing list AusNOG@lists.ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog