[AusNOG] Critical 3CX Windows/Mac hack.
James Hodgkinson
yaleman at ricetek.net
Thu Mar 30 15:33:24 AEDT 2023
They've pulled the installers from their website and refer people to the web client...which is not much of a start...
On 2023-03-30 14:09 Greg Lipschitz wrote:
> Here is a list of commands (or make a shell script) to stop it phoning home and getting more payload.
>
> # Disable 3CX Unattended-Upgrades Service
>
> systemctl stop unattended-upgrades
>
> # Collect the version of 3CX Desktop Apps on the Server
>
> cd /var/lib/3cxpbx/Instance1/Data/Http/electron
> ls -la * > /root/3cx-desktop-versions.log
>
> # Remove the files
>
> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg
> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip
> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi
> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg
>
>
> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5
>
>
> Sadly, 3CX haven't even acknowledged this yet.
> It would seem that their whole CI-CD pipeline has been compromised
>
> Greg.
>
>
>
> Greg Lipschitz
> |
> Founder & CEO
> |
> Summit Internet
> *glipschitz at summitinternet.com.au*
> *summitinternet.com.au*
> *1300 049 749* <tel:1300%20049%20749>
> *Unit 2, 31-39 Norcal Road, Nunawading VIC 3131* <https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858>
>
>
> Summit Internet <http://summitinternet.com.au/>
>
>
>
> *From:* AusNOG <ausnog-bounces at lists.ausnog.net> on behalf of Rob Thomas <xrobau at gmail.com>
> *Sent:* 30 March 2023 14:54
> *To:* <ausnog at lists.ausnog.net> <ausnog at lists.ausnog.net>
> *Subject:* [AusNOG] Critical 3CX Windows/Mac hack.
>
> As no-one's mentioned it here yet, I just thought I'd bring up the zero-day, in the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps.
>
> If you, or you have clients, running 3CX, make sure they ARE NOT using the app. If they are, their machines are probably already owned, and all their stored credentials and session cookies have been leaked.
>
> https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/ <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F&data=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D&reserved=0>
>
> This is really bad. Sorry 8-(
>
> --Rob
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/dfa68267/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image587573.png
Type: image/png
Size: 984 bytes
Desc: not available
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/dfa68267/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image244471.png
Type: image/png
Size: 10728 bytes
Desc: not available
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/dfa68267/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image947901.png
Type: image/png
Size: 1930 bytes
Desc: not available
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/dfa68267/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image891048.png
Type: image/png
Size: 3004 bytes
Desc: not available
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/dfa68267/attachment-0003.png>
More information about the AusNOG
mailing list