Re: [AusNOG] Critical 3CX Windows/Mac hack.

[Ross Fawcett]

Their CEO has posted an update confirming it.
https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/

From: AusNOG  On Behalf Of Greg Lipschitz
Sent: Thursday, March 30, 2023 2:04 PM
To: Matthew Mace ; Nathan Brookfield 
; Christopher Hawker ; 
Rob Thomas ;  

Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.

We have the paid whiz bang M365 version (you can tell I use Windows, right!?)
When we removed it and then reinstalled it, it grabbed it straight away.

Greg Lipschitz​
 |
Founder & CEO
 |
Summit Internet
glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au>
summitinternet.com.au<http://summitinternet.com.au>
1300 049 749
Unit 2, 31-39 Norcal Road, Nunawading VIC 
3131<https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858>
[cid:image002.png@01D96318.5E590EC0]
[cid:image003.png@01D96318.5E590EC0]
[Summit Internet]<http://summitinternet.com.au/>
[cid:image005.png@01D96318.5E590EC0]


From: Matthew Mace mailto:matt...@htsol.com.au>>
Sent: 30 March 2023 16:58
To: Greg Lipschitz 
mailto:glipsch...@summitinternet.com.au>>; 
Nathan Brookfield 
mailto:nathan.brookfi...@iperium.com.au>>; 
Christopher Hawker mailto:ch...@thesysadmin.dev>>; Rob 
Thomas mailto:xro...@gmail.com>>; 
mailto:ausnog@lists.ausnog.net>> 
mailto:ausnog@lists.ausnog.net>>
Subject: RE: [AusNOG] Critical 3CX Windows/Mac hack.

You don't often get email from 
matt...@htsol.com.au<mailto:matt...@htsol.com.au>. Learn why this is 
important<https://aka.ms/LearnAboutSenderIdentification>

Interesting!



How long ago did it start seeing it and was It standard defender or Endpoint 
Business?







Matthew Mace

Director

Honest Technology Solutions

P: 07 3188 7244

E: matt...@htsol.com.au<mailto:matt...@htsol.com.au>



www.htsol.com.au<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.htsol.com.au%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C3e53ff8877ba461ef70508db30e3dcce%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157527457979236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=tvenO4p9FtY%2BA2pdX5DphxarqK7chYbN1Yhlrpm2Tg0%3D=0>

"Keeping IT Honest"



[cid:image006.png@01D96318.5E590EC0]





From: Greg Lipschitz 
mailto:glipsch...@summitinternet.com.au>>
Sent: Thursday, March 30, 2023 3:48 PM
To: Matthew Mace mailto:matt...@htsol.com.au>>; Nathan 
Brookfield 
mailto:nathan.brookfi...@iperium.com.au>>; 
Christopher Hawker mailto:ch...@thesysadmin.dev>>; Rob 
Thomas mailto:xro...@gmail.com>>; 
mailto:ausnog@lists.ausnog.net>> 
mailto:ausnog@lists.ausnog.net>>
Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.



Windows Defender picked it up too.



Greg Lipschitz​

 |

Founder & CEO

 |

Summit Internet

glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au>

summitinternet.com.au<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsummitinternet.com.au%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C3e53ff8877ba461ef70508db30e3dcce%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157527457979236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=3EyM3Pd5pii4zx9Xm0aquhVe6cEiWS0sOOmaWXitziM%3D=0>

1300 049 749

Unit 2, 31-39 Norcal Road, Nunawading VIC 
3131<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.google.com%2Fmaps%3Fcid%3D12522583051503623677%26_ga%3D2.149009334.1057584350.1554770858-1081443428.1554770858=05%7C01%7Cglipschitz%40summitinternet.com.au%7C3e53ff8877ba461ef70508db30e3dcce%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157527457979236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=d2Lii8liwdK2oyNLUXSbR7C%2BaXm0TmW7dWqFByZyWpU%3D=0>

[cid:image002.png@01D96318.5E590EC0]

[cid:image003.png@01D96318.5E590EC0]

[Summit 
Internet]<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsummitinternet.com.au%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C3e53ff8877ba461ef70508db30e3dcce%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157527457979236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=3EyM3Pd5pii4zx9Xm0aquhVe6cEiWS0sOOmaWXitziM%3D=0>

[cid:image005.png@01D96318.5E590EC0]





From: Matthew Mace mailto:matt...@htsol.com.au>>
Sent: 30 March 2023 15:57
To: Nathan Brookfield 
mailto:nathan.brookfi...@iperium.com.au>>; 
Christopher Hawker mailto:ch...@thesysadmin.dev>>; Greg 
Lipschitz 
mailto:glipsch...@summitinternet.com.au>>; 
Rob Thomas mailto:xro...@gmail.com>>; 
mailto:ausnog@lists.ausnog.net>> 
m

Re: [AusNOG] Critical 3CX Windows/Mac hack.

[Greg Lipschitz]

We have the paid whiz bang M365 version (you can tell I use Windows, right!?)
When we removed it and then reinstalled it, it grabbed it straight away.

Greg Lipschitz | Founder & CEO | Summit Internet
glipsch...@summitinternet.com.au
summitinternet.com.au
1300 049 749
Unit 2, 31-39 Norcal Road, Nunawading VIC 3131
Summit Internet

From: Matthew Mace 
Sent: 30 March 2023 16:58
To: Greg Lipschitz ; Nathan Brookfield 
; Christopher Hawker ; 
Rob Thomas ;  

Subject: RE: [AusNOG] Critical 3CX Windows/Mac hack.

You don't often get email from matt...@htsol.com.au. Learn why this is 
important<https://aka.ms/LearnAboutSenderIdentification>

Interesting!



How long ago did it start seeing it and was It standard defender or Endpoint 
Business?







Matthew Mace

Director

Honest Technology Solutions

P: 07 3188 7244

E: matt...@htsol.com.au<mailto:matt...@htsol.com.au>



www.htsol.com.au<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.htsol.com.au%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C3e53ff8877ba461ef70508db30e3dcce%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157527457979236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=tvenO4p9FtY%2BA2pdX5DphxarqK7chYbN1Yhlrpm2Tg0%3D=0>

"Keeping IT Honest"



[cid:image001.png@01D96320.88ED0BC0]





From: Greg Lipschitz 
Sent: Thursday, March 30, 2023 3:48 PM
To: Matthew Mace ; Nathan Brookfield 
; Christopher Hawker ; 
Rob Thomas ;  

Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.



Windows Defender picked it up too.



Greg Lipschitz​

 |

Founder & CEO

 |

Summit Internet

glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au>

summitinternet.com.au<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsummitinternet.com.au%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C3e53ff8877ba461ef70508db30e3dcce%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157527457979236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=3EyM3Pd5pii4zx9Xm0aquhVe6cEiWS0sOOmaWXitziM%3D=0>

1300 049 749

Unit 2, 31-39 Norcal Road, Nunawading VIC 
3131<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.google.com%2Fmaps%3Fcid%3D12522583051503623677%26_ga%3D2.149009334.1057584350.1554770858-1081443428.1554770858=05%7C01%7Cglipschitz%40summitinternet.com.au%7C3e53ff8877ba461ef70508db30e3dcce%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157527457979236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=d2Lii8liwdK2oyNLUXSbR7C%2BaXm0TmW7dWqFByZyWpU%3D=0>

[cid:image002.png@01D96320.88ED0BC0]

[cid:image003.png@01D96320.88ED0BC0]

[Summit 
Internet]<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsummitinternet.com.au%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C3e53ff8877ba461ef70508db30e3dcce%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157527457979236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=3EyM3Pd5pii4zx9Xm0aquhVe6cEiWS0sOOmaWXitziM%3D=0>

[cid:image005.png@01D96320.88ED0BC0]





From: Matthew Mace 
Sent: 30 March 2023 15:57
To: Nathan Brookfield ; Christopher Hawker 
; Greg Lipschitz ; Rob 
Thomas ;  
Subject: RE: [AusNOG] Critical 3CX Windows/Mac hack.



You don't often get email from matt...@htsol.com.au. Learn why this is 
important<https://aka.ms/LearnAboutSenderIdentification>

Can anyone definitively confirm that they’ve personally seen it get picked up 
by anything else than S1?



In addition to  this anyone that has had it installed at a site and also run a 
premium DNS filtering service (Umbrella, DNS Filter etc.) and/or premium 
routers with DPI (Sonicwall, Firebox etc.), do you know if they picked up this 
traffic and stopped it? I would be hoping so.



Definitely curious to know either way.







Matthew Mace





From: AusNOG  On Behalf Of Nathan Brookfield
Sent: Thursday, March 30, 2023 2:51 PM
To: Christopher Hawker ; Greg Lipschitz 
; Rob Thomas ; 
 
Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.



To be fair, they likely don’t know much yet and things are probably pretty 
hectic…. Give them time, crisis management is probably only kicking in now.



From: AusNOG 
mailto:ausnog-boun...@lists.ausnog.net>> On 
Behalf Of Christopher Hawker
Sent: Thursday, March 30, 2023 3:31 PM
To: Greg Lipschitz 
mailto:glipsch...@summitinternet.com.au>>; 
Rob Thomas mailto:xro...@gmail.com>>; 
mailto:ausnog@lists.ausnog.net>> 
mailto:ausnog@lists.ausnog.net>>
Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.



It appears their sales team have no info regarding this. Just rang our Senior 
AM at 3CX and they've advised that they have no information, and that they

Re: [AusNOG] Critical 3CX Windows/Mac hack.

[Matthew Mace]

Interesting!

How long ago did it start seeing it and was It standard defender or Endpoint 
Business?



Matthew Mace
Director
Honest Technology Solutions
P: 07 3188 7244
E: matt...@htsol.com.au<mailto:matt...@htsol.com.au>

www.htsol.com.au<http://www.htsol.com.au/>
"Keeping IT Honest"

[cid:image001.png@01D96320.88ED0BC0]


From: Greg Lipschitz 
Sent: Thursday, March 30, 2023 3:48 PM
To: Matthew Mace ; Nathan Brookfield 
; Christopher Hawker ; 
Rob Thomas ;  

Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.

Windows Defender picked it up too.

Greg Lipschitz​
 |
Founder & CEO
 |
Summit Internet
glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au>
summitinternet.com.au<http://summitinternet.com.au>
1300 049 749
Unit 2, 31-39 Norcal Road, Nunawading VIC 
3131<https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858>
[cid:image002.png@01D96320.88ED0BC0]
[cid:image003.png@01D96320.88ED0BC0]
[Summit Internet]<http://summitinternet.com.au/>
[cid:image005.png@01D96320.88ED0BC0]


From: Matthew Mace 
Sent: 30 March 2023 15:57
To: Nathan Brookfield ; Christopher Hawker 
; Greg Lipschitz ; Rob 
Thomas ;  
Subject: RE: [AusNOG] Critical 3CX Windows/Mac hack.

You don't often get email from matt...@htsol.com.au. Learn why this is 
important<https://aka.ms/LearnAboutSenderIdentification>

Can anyone definitively confirm that they’ve personally seen it get picked up 
by anything else than S1?



In addition to  this anyone that has had it installed at a site and also run a 
premium DNS filtering service (Umbrella, DNS Filter etc.) and/or premium 
routers with DPI (Sonicwall, Firebox etc.), do you know if they picked up this 
traffic and stopped it? I would be hoping so.



Definitely curious to know either way.







Matthew Mace





From: AusNOG  On Behalf Of Nathan Brookfield
Sent: Thursday, March 30, 2023 2:51 PM
To: Christopher Hawker ; Greg Lipschitz 
; Rob Thomas ; 
 
Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.



To be fair, they likely don’t know much yet and things are probably pretty 
hectic…. Give them time, crisis management is probably only kicking in now.



From: AusNOG 
mailto:ausnog-boun...@lists.ausnog.net>> On 
Behalf Of Christopher Hawker
Sent: Thursday, March 30, 2023 3:31 PM
To: Greg Lipschitz 
mailto:glipsch...@summitinternet.com.au>>; 
Rob Thomas mailto:xro...@gmail.com>>; 
mailto:ausnog@lists.ausnog.net>> 
mailto:ausnog@lists.ausnog.net>>
Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.



It appears their sales team have no info regarding this. Just rang our Senior 
AM at 3CX and they've advised that they have no information, and that they are 
referring anyone who calls to their technical teams via support tickets in the 
3CX portal.



Not a good look for them.



CH



Get Outlook for 
Android<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FAAb9ysg=05%7C01%7Cglipschitz%40summitinternet.com.au%7C28ab046f470a4f19932b08db30db3490%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157490273890466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=LeXZsLN4cUATWMtiKqKRMgdDICBmFCmTUpQ3wZ%2FBGK4%3D=0>



From: AusNOG 
mailto:ausnog-boun...@lists.ausnog.net>> on 
behalf of Greg Lipschitz 
mailto:glipsch...@summitinternet.com.au>>
Sent: Thursday, March 30, 2023 3:09:45 PM
To: Rob Thomas mailto:xro...@gmail.com>>; 
mailto:ausnog@lists.ausnog.net>> 
mailto:ausnog@lists.ausnog.net>>
Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.



Here is a list of commands (or make a shell script) to stop it phoning home and 
getting more payload.



# Disable 3CX Unattended-Upgrades Service

systemctl stop unattended-upgrades



# Collect the version of 3CX Desktop Apps on the Server



cd /var/lib/3cxpbx/Instance1/Data/Http/electron

ls -la * > /root/3cx-desktop-versions.log



# Remove the files



rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg

rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip

rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi

rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg





https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.3cx.com%2Fcommunity%2Fthreads%2Fthreat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806%2Fpage-5=05%7C01%7Cglipschitz%40summitinternet.com.au%7C28ab046f470a4f19932b08db30db3490%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157490273890466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=gBvUcr9Pk

Re: [AusNOG] Critical 3CX Windows/Mac hack.

[Jrandombob]

Yeah, some of those forum threads are IMPRESSIVELY trainwrecky, I think the
most succinct evaluation I've seen is this one;
"Seriously. Your EDR tells you that your phone client is behaving like a C2
talking to North Korea, and your response is to put it in the whitelist?
Wow..."

On Thu, Mar 30, 2023 at 4:42 PM DaZZa  wrote:

> From a security perspective, the utterly terrifying part of most of these
> responses boils down to "Oh, must be a glitch in the AV, I'll *whitelist*
> it so it doesn;t get caught".
>
> Jesus Wept. I'd be bashing heads if anyone in my company even suggested
> that without a much more thorough investigation!
>
> D
>
> On Thu, 30 Mar 2023 at 16:08, Alexander Neilson 
> wrote:
>
>> I haven't seen it personally
>>
>> However others are reporting it as separate investigations they have seen
>> the loader execute:
>>
>> https://www.todyl.com/blog/post/threat-advisory-3cx-softphone-telephony-campaign
>>
>> https://www.3cx.com/community/threads/3cx-desktop-app-vulnerability-security-group-contact.119930/
>> - Reports ESET detected it - possibly using signature / hash from S1
>>
>> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558449
>> -  Cortex xdr Paloalto
>>
>> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558708
>> - CrowdStrike
>>
>> https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/
>> - References Sophos
>>
>>
>> I am pretty confident that if this isn't a malicious actor doing this
>> then 3CX has performed the mother of all response tests on its customers
>> over the past week and should have had a better reply than silence when
>> they were asked about it.
>>
>> Regards
>> Alexander
>>
>> Alexander Neilson
>> Neilson Productions Limited
>>
>> alexan...@neilson.net.nz
>> 021 329 681
>> 022 456 2326
>>
>>
>> On Thu, 30 Mar 2023 at 17:57, Matthew Mace  wrote:
>>
>>> Can anyone definitively confirm that they’ve personally seen it get
>>> picked up by anything else than S1?
>>>
>>>
>>>
>>> In addition to  this anyone that has had it installed at a site and also
>>> run a premium DNS filtering service (Umbrella, DNS Filter etc.) and/or
>>> premium routers with DPI (Sonicwall, Firebox etc.), do you know if they
>>> picked up this traffic and stopped it? I would be hoping so.
>>>
>>>
>>>
>>> Definitely curious to know either way.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *Matthew Mace*
>>>
>>>
>>>
>>>
>>>
>>> *From:* AusNOG  *On Behalf Of *Nathan
>>> Brookfield
>>> *Sent:* Thursday, March 30, 2023 2:51 PM
>>> *To:* Christopher Hawker ; Greg Lipschitz <
>>> glipsch...@summitinternet.com.au>; Rob Thomas ; <
>>> ausnog@lists.ausnog.net> 
>>> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack.
>>>
>>>
>>>
>>> To be fair, they likely don’t know much yet and things are probably
>>> pretty hectic…. Give them time, crisis management is probably only kicking
>>> in now.
>>>
>>>
>>>
>>> *From:* AusNOG  *On Behalf Of *Christopher
>>> Hawker
>>> *Sent:* Thursday, March 30, 2023 3:31 PM
>>> *To:* Greg Lipschitz ; Rob Thomas <
>>> xro...@gmail.com>;  
>>> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack.
>>>
>>>
>>>
>>> It appears their sales team have no info regarding this. Just rang our
>>> Senior AM at 3CX and they've advised that they have no information, and
>>> that they are referring anyone who calls to their technical teams via
>>> support tickets in the 3CX portal.
>>>
>>>
>>>
>>> Not a good look for them.
>>>
>>>
>>>
>>> CH
>>>
>>>
>>>
>>> Get Outlook for Android <https://aka.ms/AAb9ysg>
>>> --
>>>
>>> *From:* AusNOG  on behalf of Greg
>>> Lipschitz 
>>> *Sent:* Thursday, March 30, 2023 3:09:45 PM
>>> *To:* Rob Thomas ;  <
>>> ausnog@lists.ausnog.net>
>>> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack.
>>>
>>>
>>>
>>> Here i

Re: [AusNOG] Critical 3CX Windows/Mac hack.

[Greg Lipschitz]

Windows Defender picked it up too.

Greg Lipschitz | Founder & CEO | Summit Internet
glipsch...@summitinternet.com.au
summitinternet.com.au
1300 049 749
Unit 2, 31-39 Norcal Road, Nunawading VIC 3131
Summit Internet

From: Matthew Mace 
Sent: 30 March 2023 15:57
To: Nathan Brookfield ; Christopher Hawker 
; Greg Lipschitz ; Rob 
Thomas ;  
Subject: RE: [AusNOG] Critical 3CX Windows/Mac hack.

You don't often get email from matt...@htsol.com.au. Learn why this is 
important<https://aka.ms/LearnAboutSenderIdentification>

Can anyone definitively confirm that they’ve personally seen it get picked up 
by anything else than S1?



In addition to  this anyone that has had it installed at a site and also run a 
premium DNS filtering service (Umbrella, DNS Filter etc.) and/or premium 
routers with DPI (Sonicwall, Firebox etc.), do you know if they picked up this 
traffic and stopped it? I would be hoping so.



Definitely curious to know either way.







Matthew Mace





From: AusNOG  On Behalf Of Nathan Brookfield
Sent: Thursday, March 30, 2023 2:51 PM
To: Christopher Hawker ; Greg Lipschitz 
; Rob Thomas ; 
 
Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.



To be fair, they likely don’t know much yet and things are probably pretty 
hectic…. Give them time, crisis management is probably only kicking in now.



From: AusNOG 
mailto:ausnog-boun...@lists.ausnog.net>> On 
Behalf Of Christopher Hawker
Sent: Thursday, March 30, 2023 3:31 PM
To: Greg Lipschitz 
mailto:glipsch...@summitinternet.com.au>>; 
Rob Thomas mailto:xro...@gmail.com>>; 
mailto:ausnog@lists.ausnog.net>> 
mailto:ausnog@lists.ausnog.net>>
Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.



It appears their sales team have no info regarding this. Just rang our Senior 
AM at 3CX and they've advised that they have no information, and that they are 
referring anyone who calls to their technical teams via support tickets in the 
3CX portal.



Not a good look for them.



CH



Get Outlook for 
Android<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FAAb9ysg=05%7C01%7Cglipschitz%40summitinternet.com.au%7C28ab046f470a4f19932b08db30db3490%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157490273890466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=LeXZsLN4cUATWMtiKqKRMgdDICBmFCmTUpQ3wZ%2FBGK4%3D=0>



From: AusNOG 
mailto:ausnog-boun...@lists.ausnog.net>> on 
behalf of Greg Lipschitz 
mailto:glipsch...@summitinternet.com.au>>
Sent: Thursday, March 30, 2023 3:09:45 PM
To: Rob Thomas mailto:xro...@gmail.com>>; 
mailto:ausnog@lists.ausnog.net>> 
mailto:ausnog@lists.ausnog.net>>
Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.



Here is a list of commands (or make a shell script) to stop it phoning home and 
getting more payload.



# Disable 3CX Unattended-Upgrades Service

systemctl stop unattended-upgrades



# Collect the version of 3CX Desktop Apps on the Server



cd /var/lib/3cxpbx/Instance1/Data/Http/electron

ls -la * > /root/3cx-desktop-versions.log



# Remove the files



rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg

rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip

rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi

rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg





https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.3cx.com%2Fcommunity%2Fthreads%2Fthreat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806%2Fpage-5=05%7C01%7Cglipschitz%40summitinternet.com.au%7C28ab046f470a4f19932b08db30db3490%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157490273890466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=gBvUcr9Pkokg10aeP864qVSsMZDg6KE%2FuuDUDi2imtE%3D=0>





Sadly, 3CX haven't even acknowledged this yet.

It would seem that their whole CI-CD pipeline has been compromised



Greg.





Greg Lipschitz​

 |

Founder & CEO

 |

Summit Internet

glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au>

summitinternet.com.au<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsummitinternet.com.au%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C28ab046f470a4f19932b08db30db3490%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157490273890466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=zO2mC4vUjaIW7YOuPf7i45hrukQ5fRzyFikE1GWDZjQ%3D=0>

1300 049 749

Unit 2, 31-39 Norcal Road, Nunawading VIC 
3131<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.google.com%2Fmaps%3Fcid%3D1

Re: [AusNOG] Critical 3CX Windows/Mac hack.

[DaZZa]

>From a security perspective, the utterly terrifying part of most of these
responses boils down to "Oh, must be a glitch in the AV, I'll *whitelist*
it so it doesn;t get caught".

Jesus Wept. I'd be bashing heads if anyone in my company even suggested
that without a much more thorough investigation!

D

On Thu, 30 Mar 2023 at 16:08, Alexander Neilson 
wrote:

> I haven't seen it personally
>
> However others are reporting it as separate investigations they have seen
> the loader execute:
>
> https://www.todyl.com/blog/post/threat-advisory-3cx-softphone-telephony-campaign
>
> https://www.3cx.com/community/threads/3cx-desktop-app-vulnerability-security-group-contact.119930/
> - Reports ESET detected it - possibly using signature / hash from S1
>
> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558449
> -  Cortex xdr Paloalto
>
> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558708
> - CrowdStrike
>
> https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/
> - References Sophos
>
>
> I am pretty confident that if this isn't a malicious actor doing this then
> 3CX has performed the mother of all response tests on its customers over
> the past week and should have had a better reply than silence when they
> were asked about it.
>
> Regards
> Alexander
>
> Alexander Neilson
> Neilson Productions Limited
>
> alexan...@neilson.net.nz
> 021 329 681
> 022 456 2326
>
>
> On Thu, 30 Mar 2023 at 17:57, Matthew Mace  wrote:
>
>> Can anyone definitively confirm that they’ve personally seen it get
>> picked up by anything else than S1?
>>
>>
>>
>> In addition to  this anyone that has had it installed at a site and also
>> run a premium DNS filtering service (Umbrella, DNS Filter etc.) and/or
>> premium routers with DPI (Sonicwall, Firebox etc.), do you know if they
>> picked up this traffic and stopped it? I would be hoping so.
>>
>>
>>
>> Definitely curious to know either way.
>>
>>
>>
>>
>>
>>
>>
>> *Matthew Mace*
>>
>>
>>
>>
>>
>> *From:* AusNOG  *On Behalf Of *Nathan
>> Brookfield
>> *Sent:* Thursday, March 30, 2023 2:51 PM
>> *To:* Christopher Hawker ; Greg Lipschitz <
>> glipsch...@summitinternet.com.au>; Rob Thomas ; <
>> ausnog@lists.ausnog.net> 
>> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack.
>>
>>
>>
>> To be fair, they likely don’t know much yet and things are probably
>> pretty hectic…. Give them time, crisis management is probably only kicking
>> in now.
>>
>>
>>
>> *From:* AusNOG  *On Behalf Of *Christopher
>> Hawker
>> *Sent:* Thursday, March 30, 2023 3:31 PM
>> *To:* Greg Lipschitz ; Rob Thomas <
>> xro...@gmail.com>;  
>> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack.
>>
>>
>>
>> It appears their sales team have no info regarding this. Just rang our
>> Senior AM at 3CX and they've advised that they have no information, and
>> that they are referring anyone who calls to their technical teams via
>> support tickets in the 3CX portal.
>>
>>
>>
>> Not a good look for them.
>>
>>
>>
>> CH
>>
>>
>>
>> Get Outlook for Android <https://aka.ms/AAb9ysg>
>> --
>>
>> *From:* AusNOG  on behalf of Greg
>> Lipschitz 
>> *Sent:* Thursday, March 30, 2023 3:09:45 PM
>> *To:* Rob Thomas ;  <
>> ausnog@lists.ausnog.net>
>> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack.
>>
>>
>>
>> Here is a list of commands (or make a shell script) to stop it phoning
>> home and getting more payload.
>>
>>
>>
>> # Disable 3CX Unattended-Upgrades Service
>>
>> systemctl stop unattended-upgrades
>>
>>
>>
>> # Collect the version of 3CX Desktop Apps on the Server
>>
>>
>>
>> cd /var/lib/3cxpbx/Instance1/Data/Http/electron
>>
>> ls -la * > /root/3cx-desktop-versions.log
>>
>>
>>
>> # Remove the files
>>
>>
>>
>> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg
>>
>> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip
>>
>> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi
>>
>> rm -rf /var/lib/3cxpbx/Instance1/Da

Re: [AusNOG] Critical 3CX Windows/Mac hack.

[Tim Jago]

Confirmed now at least... 
https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558899

___
AusNOG mailing list
AusNOG@lists.ausnog.net
https://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Critical 3CX Windows/Mac hack.

[Alexander Neilson]

I haven't seen it personally

However others are reporting it as separate investigations they have seen
the loader execute:
https://www.todyl.com/blog/post/threat-advisory-3cx-softphone-telephony-campaign
https://www.3cx.com/community/threads/3cx-desktop-app-vulnerability-security-group-contact.119930/
- Reports ESET detected it - possibly using signature / hash from S1
https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558449
-  Cortex xdr Paloalto
https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558708
- CrowdStrike
https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/
- References Sophos


I am pretty confident that if this isn't a malicious actor doing this then
3CX has performed the mother of all response tests on its customers over
the past week and should have had a better reply than silence when they
were asked about it.

Regards
Alexander

Alexander Neilson
Neilson Productions Limited

alexan...@neilson.net.nz
021 329 681
022 456 2326


On Thu, 30 Mar 2023 at 17:57, Matthew Mace  wrote:

> Can anyone definitively confirm that they’ve personally seen it get picked
> up by anything else than S1?
>
>
>
> In addition to  this anyone that has had it installed at a site and also
> run a premium DNS filtering service (Umbrella, DNS Filter etc.) and/or
> premium routers with DPI (Sonicwall, Firebox etc.), do you know if they
> picked up this traffic and stopped it? I would be hoping so.
>
>
>
> Definitely curious to know either way.
>
>
>
>
>
>
>
> *Matthew Mace*
>
>
>
>
>
> *From:* AusNOG  *On Behalf Of *Nathan
> Brookfield
> *Sent:* Thursday, March 30, 2023 2:51 PM
> *To:* Christopher Hawker ; Greg Lipschitz <
> glipsch...@summitinternet.com.au>; Rob Thomas ; <
> ausnog@lists.ausnog.net> 
> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack.
>
>
>
> To be fair, they likely don’t know much yet and things are probably pretty
> hectic…. Give them time, crisis management is probably only kicking in now.
>
>
>
> *From:* AusNOG  *On Behalf Of *Christopher
> Hawker
> *Sent:* Thursday, March 30, 2023 3:31 PM
> *To:* Greg Lipschitz ; Rob Thomas <
> xro...@gmail.com>;  
> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack.
>
>
>
> It appears their sales team have no info regarding this. Just rang our
> Senior AM at 3CX and they've advised that they have no information, and
> that they are referring anyone who calls to their technical teams via
> support tickets in the 3CX portal.
>
>
>
> Not a good look for them.
>
>
>
> CH
>
>
>
> Get Outlook for Android <https://aka.ms/AAb9ysg>
> ------
>
> *From:* AusNOG  on behalf of Greg
> Lipschitz 
> *Sent:* Thursday, March 30, 2023 3:09:45 PM
> *To:* Rob Thomas ;  <
> ausnog@lists.ausnog.net>
> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack.
>
>
>
> Here is a list of commands (or make a shell script) to stop it phoning
> home and getting more payload.
>
>
>
> # Disable 3CX Unattended-Upgrades Service
>
> systemctl stop unattended-upgrades
>
>
>
> # Collect the version of 3CX Desktop Apps on the Server
>
>
>
> cd /var/lib/3cxpbx/Instance1/Data/Http/electron
>
> ls -la * > /root/3cx-desktop-versions.log
>
>
>
> # Remove the files
>
>
>
> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg
>
> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip
>
> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi
>
> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg
>
>
>
>
>
>
> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5
>
>
>
>
>
> Sadly, 3CX haven't even acknowledged this yet.
>
> It would seem that their whole CI-CD pipeline has been compromised
>
>
>
> Greg.
>
>
>
>
>
> *Greg Lipschitz**​*
>
>  |
>
> *Founder & CEO*
>
>  |
>
> *Summit Internet*
>
> *glipsch...@summitinternet.com.au* 
>
> *summitinternet.com.au* <http://summitinternet.com.au>
>
> *1300 049 749* <1300%20049%20749>
>
> *Unit 2, 31-39 Norcal Road, Nunawading VIC 3131*
> <https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858>
>
> [image: Summit Internet] <http://summitinternet.com.au/>
>
>
> --
>
> *

Re: [AusNOG] Critical 3CX Windows/Mac hack.

[Matthew Mace]

Can anyone definitively confirm that they’ve personally seen it get picked up 
by anything else than S1?

In addition to  this anyone that has had it installed at a site and also run a 
premium DNS filtering service (Umbrella, DNS Filter etc.) and/or premium 
routers with DPI (Sonicwall, Firebox etc.), do you know if they picked up this 
traffic and stopped it? I would be hoping so.

Definitely curious to know either way.



Matthew Mace


From: AusNOG  On Behalf Of Nathan Brookfield
Sent: Thursday, March 30, 2023 2:51 PM
To: Christopher Hawker ; Greg Lipschitz 
; Rob Thomas ; 
 
Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.

To be fair, they likely don’t know much yet and things are probably pretty 
hectic…. Give them time, crisis management is probably only kicking in now.

From: AusNOG 
mailto:ausnog-boun...@lists.ausnog.net>> On 
Behalf Of Christopher Hawker
Sent: Thursday, March 30, 2023 3:31 PM
To: Greg Lipschitz 
mailto:glipsch...@summitinternet.com.au>>; 
Rob Thomas mailto:xro...@gmail.com>>; 
mailto:ausnog@lists.ausnog.net>> 
mailto:ausnog@lists.ausnog.net>>
Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.

It appears their sales team have no info regarding this. Just rang our Senior 
AM at 3CX and they've advised that they have no information, and that they are 
referring anyone who calls to their technical teams via support tickets in the 
3CX portal.

Not a good look for them.

CH

Get Outlook for Android<https://aka.ms/AAb9ysg>

From: AusNOG 
mailto:ausnog-boun...@lists.ausnog.net>> on 
behalf of Greg Lipschitz 
mailto:glipsch...@summitinternet.com.au>>
Sent: Thursday, March 30, 2023 3:09:45 PM
To: Rob Thomas mailto:xro...@gmail.com>>; 
mailto:ausnog@lists.ausnog.net>> 
mailto:ausnog@lists.ausnog.net>>
Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.

Here is a list of commands (or make a shell script) to stop it phoning home and 
getting more payload.

# Disable 3CX Unattended-Upgrades Service
systemctl stop unattended-upgrades

# Collect the version of 3CX Desktop Apps on the Server

cd /var/lib/3cxpbx/Instance1/Data/Http/electron
ls -la * > /root/3cx-desktop-versions.log

# Remove the files

rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg
rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip
rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi
rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg


https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5


Sadly, 3CX haven't even acknowledged this yet.
It would seem that their whole CI-CD pipeline has been compromised

Greg.


Greg Lipschitz​
 |
Founder & CEO
 |
Summit Internet
glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au>
summitinternet.com.au<http://summitinternet.com.au>
1300 049 749
Unit 2, 31-39 Norcal Road, Nunawading VIC 
3131<https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858>
[cid:image001.png@01D96317.E105C670]
[cid:image002.png@01D96317.E105C670]
[Summit Internet]<http://summitinternet.com.au/>
[cid:image004.png@01D96317.E105C670]


From: AusNOG 
mailto:ausnog-boun...@lists.ausnog.net>> on 
behalf of Rob Thomas mailto:xro...@gmail.com>>
Sent: 30 March 2023 14:54
To: mailto:ausnog@lists.ausnog.net>> 
mailto:ausnog@lists.ausnog.net>>
Subject: [AusNOG] Critical 3CX Windows/Mac hack.

As no-one's mentioned it here yet, I just thought I'd bring up the zero-day, in 
the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps.

If you, or you have clients, running 3CX, make sure they ARE NOT using the app. 
If they are, their machines are probably already owned, and all their stored 
credentials and session cookies have been leaked.

https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D=0>

This is really bad. Sorry 8-(

--Rob

___
AusNOG mailing list
AusNOG@lists.ausnog.net
https://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Critical 3CX Windows/Mac hack.

[Nathan Brookfield]

To be fair, they likely don’t know much yet and things are probably pretty 
hectic…. Give them time, crisis management is probably only kicking in now.

From: AusNOG  On Behalf Of Christopher Hawker
Sent: Thursday, March 30, 2023 3:31 PM
To: Greg Lipschitz ; Rob Thomas 
;  
Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.

It appears their sales team have no info regarding this. Just rang our Senior 
AM at 3CX and they've advised that they have no information, and that they are 
referring anyone who calls to their technical teams via support tickets in the 
3CX portal.

Not a good look for them.

CH

Get Outlook for Android<https://aka.ms/AAb9ysg>

From: AusNOG 
mailto:ausnog-boun...@lists.ausnog.net>> on 
behalf of Greg Lipschitz 
mailto:glipsch...@summitinternet.com.au>>
Sent: Thursday, March 30, 2023 3:09:45 PM
To: Rob Thomas mailto:xro...@gmail.com>>; 
mailto:ausnog@lists.ausnog.net>> 
mailto:ausnog@lists.ausnog.net>>
Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.

Here is a list of commands (or make a shell script) to stop it phoning home and 
getting more payload.

# Disable 3CX Unattended-Upgrades Service
systemctl stop unattended-upgrades

# Collect the version of 3CX Desktop Apps on the Server

cd /var/lib/3cxpbx/Instance1/Data/Http/electron
ls -la * > /root/3cx-desktop-versions.log

# Remove the files

rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg
rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip
rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi
rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg


https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5


Sadly, 3CX haven't even acknowledged this yet.
It would seem that their whole CI-CD pipeline has been compromised

Greg.


Greg Lipschitz​
 |
Founder & CEO
 |
Summit Internet
glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au>
summitinternet.com.au<http://summitinternet.com.au>
1300 049 749
Unit 2, 31-39 Norcal Road, Nunawading VIC 
3131<https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858>
[cid:image001.png@01D9631F.70B4E6A0]
[cid:image002.png@01D9631F.70B4E6A0]
[Summit Internet]<http://summitinternet.com.au/>
[cid:image004.png@01D9631F.70B4E6A0]


From: AusNOG 
mailto:ausnog-boun...@lists.ausnog.net>> on 
behalf of Rob Thomas mailto:xro...@gmail.com>>
Sent: 30 March 2023 14:54
To: mailto:ausnog@lists.ausnog.net>> 
mailto:ausnog@lists.ausnog.net>>
Subject: [AusNOG] Critical 3CX Windows/Mac hack.

As no-one's mentioned it here yet, I just thought I'd bring up the zero-day, in 
the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps.

If you, or you have clients, running 3CX, make sure they ARE NOT using the app. 
If they are, their machines are probably already owned, and all their stored 
credentials and session cookies have been leaked.

https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D=0>

This is really bad. Sorry 8-(

--Rob

___
AusNOG mailing list
AusNOG@lists.ausnog.net
https://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Critical 3CX Windows/Mac hack.

[James Hodgkinson]

They've pulled the installers from their website and refer people to the web 
client...which is not much of a start...


On 2023-03-30 14:09 Greg Lipschitz wrote:
> Here is a list of commands (or make a shell script) to stop it phoning home 
> and getting more payload.
> 
> # Disable 3CX Unattended-Upgrades Service
> 
> systemctl stop unattended-upgrades
> 
> # Collect the version of 3CX Desktop Apps on the Server
> 
> cd /var/lib/3cxpbx/Instance1/Data/Http/electron
> ls -la * > /root/3cx-desktop-versions.log
> 
> # Remove the files
> 
> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg
> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip
> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi
> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg
> 
> 
> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5
> 
> 
> Sadly, 3CX haven't even acknowledged this yet.
> It would seem that their whole CI-CD pipeline has been compromised
> 
> Greg. 
> 
> 
> 
> Greg Lipschitz
>  | 
> Founder & CEO
>  | 
> Summit Internet
> *glipsch...@summitinternet.com.au*
> *summitinternet.com.au*
> *1300 049 749* 
> *Unit 2, 31-39 Norcal Road, Nunawading VIC 3131* 
> <https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858>
> 
> 
> Summit Internet <http://summitinternet.com.au/>
> 
> 
> 
> *From:* AusNOG  on behalf of Rob Thomas 
> 
> *Sent:* 30 March 2023 14:54
> *To:*  
> *Subject:* [AusNOG] Critical 3CX Windows/Mac hack.
>  
> As no-one's mentioned it here yet, I just thought I'd bring up the zero-day, 
> in the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps.
> 
> If you, or you have clients, running 3CX, make sure they ARE NOT using the 
> app. If they are, their machines are probably already owned, and all their 
> stored credentials and session cookies have been leaked.
> 
> https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/
>  
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D=0>
> 
> This is really bad. Sorry 8-(
> 
> --Rob
> 
> ___
> AusNOG mailing list
> AusNOG@lists.ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
> 
___
AusNOG mailing list
AusNOG@lists.ausnog.net
https://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Critical 3CX Windows/Mac hack.

[Christopher Hawker]

It appears their sales team have no info regarding this. Just rang our Senior 
AM at 3CX and they've advised that they have no information, and that they are 
referring anyone who calls to their technical teams via support tickets in the 
3CX portal.

Not a good look for them.

CH

Get Outlook for Android<https://aka.ms/AAb9ysg>

From: AusNOG  on behalf of Greg Lipschitz 

Sent: Thursday, March 30, 2023 3:09:45 PM
To: Rob Thomas ;  

Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.

Here is a list of commands (or make a shell script) to stop it phoning home and 
getting more payload.

# Disable 3CX Unattended-Upgrades Service

systemctl stop unattended-upgrades

# Collect the version of 3CX Desktop Apps on the Server

cd /var/lib/3cxpbx/Instance1/Data/Http/electron
ls -la * > /root/3cx-desktop-versions.log

# Remove the files

rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg
rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip
rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi
rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg


https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5


Sadly, 3CX haven't even acknowledged this yet.
It would seem that their whole CI-CD pipeline has been compromised

Greg.


Greg Lipschitz​  |  Founder & CEO|  Summit Internet
glipsch...@summitinternet.com.au<mailto:glipsch...@summitinternet.com.au>
summitinternet.com.au<http://summitinternet.com.au>
1300 049 749
Unit 2, 31-39 Norcal Road, Nunawading VIC 
3131<https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858>
[cid:image587573.png@9D56C314.E6D7594C]
[cid:image244471.png@C75A89D0.8905FE7F]
[Summit Internet]<http://summitinternet.com.au> 
[cid:image891048.png@51ACA080.56DCC416]


From: AusNOG  on behalf of Rob Thomas 

Sent: 30 March 2023 14:54
To:  
Subject: [AusNOG] Critical 3CX Windows/Mac hack.

As no-one's mentioned it here yet, I just thought I'd bring up the zero-day, in 
the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps.

If you, or you have clients, running 3CX, make sure they ARE NOT using the app. 
If they are, their machines are probably already owned, and all their stored 
credentials and session cookies have been leaked.

https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D=0>

This is really bad. Sorry 8-(

--Rob

___
AusNOG mailing list
AusNOG@lists.ausnog.net
https://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Critical 3CX Windows/Mac hack.

[Greg Lipschitz]

Here is a list of commands (or make a shell script) to stop it phoning home and 
getting more payload.

# Disable 3CX Unattended-Upgrades Service

systemctl stop unattended-upgrades

# Collect the version of 3CX Desktop Apps on the Server

cd /var/lib/3cxpbx/Instance1/Data/Http/electron
ls -la * > /root/3cx-desktop-versions.log

# Remove the files

rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg
rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip
rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi
rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg


https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5


Sadly, 3CX haven't even acknowledged this yet.
It would seem that their whole CI-CD pipeline has been compromised

Greg.


Greg Lipschitz | Founder & CEO | Summit Internet
glipsch...@summitinternet.com.au
summitinternet.com.au
1300 049 749
Unit 2, 31-39 Norcal Road, Nunawading VIC 3131
Summit Internet

From: AusNOG  on behalf of Rob Thomas 

Sent: 30 March 2023 14:54
To:  
Subject: [AusNOG] Critical 3CX Windows/Mac hack.

As no-one's mentioned it here yet, I just thought I'd bring up the zero-day, in 
the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps.

If you, or you have clients, running 3CX, make sure they ARE NOT using the app. 
If they are, their machines are probably already owned, and all their stored 
credentials and session cookies have been leaked.

https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D=0>

This is really bad. Sorry 8-(

--Rob

___
AusNOG mailing list
AusNOG@lists.ausnog.net
https://lists.ausnog.net/mailman/listinfo/ausnog

[AusNOG] Critical 3CX Windows/Mac hack.

[Rob Thomas]

As no-one's mentioned it here yet, I just thought I'd bring up the
zero-day, in the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps.

If you, or you have clients, running 3CX, make sure they ARE NOT using the
app. If they are, their machines are probably already owned, and all their
stored credentials and session cookies have been leaked.

https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/

This is really bad. Sorry 8-(

--Rob
___
AusNOG mailing list
AusNOG@lists.ausnog.net
https://lists.ausnog.net/mailman/listinfo/ausnog