[AusNOG] Critical 3CX Windows/Mac hack.

DaZZa dazzagibbs at gmail.com
Thu Mar 30 16:42:10 AEDT 2023 

>From a security perspective, the utterly terrifying part of most of these
responses boils down to "Oh, must be a glitch in the AV, I'll *whitelist*
it so it doesn;t get caught".

Jesus Wept. I'd be bashing heads if anyone in my company even suggested
that without a much more thorough investigation!

D

On Thu, 30 Mar 2023 at 16:08, Alexander Neilson <alexander at neilson.net.nz>
wrote:

> I haven't seen it personally
>
> However others are reporting it as separate investigations they have seen
> the loader execute:
>
> https://www.todyl.com/blog/post/threat-advisory-3cx-softphone-telephony-campaign
>
> https://www.3cx.com/community/threads/3cx-desktop-app-vulnerability-security-group-contact.119930/
> - Reports ESET detected it - possibly using signature / hash from S1
>
> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558449
> -  Cortex xdr Paloalto
>
> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558708
> - CrowdStrike
>
> https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/
> - References Sophos
>
>
> I am pretty confident that if this isn't a malicious actor doing this then
> 3CX has performed the mother of all response tests on its customers over
> the past week and should have had a better reply than silence when they
> were asked about it.
>
> Regards
> Alexander
>
> Alexander Neilson
> Neilson Productions Limited
>
> alexander at neilson.net.nz
> 021 329 681
> 022 456 2326
>
>
> On Thu, 30 Mar 2023 at 17:57, Matthew Mace <matthew at htsol.com.au> wrote:
>
>> Can anyone definitively confirm that they’ve personally seen it get
>> picked up by anything else than S1?
>>
>>
>>
>> In addition to  this anyone that has had it installed at a site and also
>> run a premium DNS filtering service (Umbrella, DNS Filter etc.) and/or
>> premium routers with DPI (Sonicwall, Firebox etc.), do you know if they
>> picked up this traffic and stopped it? I would be hoping so.
>>
>>
>>
>> Definitely curious to know either way.
>>
>>
>>
>>
>>
>>
>>
>> *Matthew Mace*
>>
>>
>>
>>
>>
>> *From:* AusNOG <ausnog-bounces at lists.ausnog.net> *On Behalf Of *Nathan
>> Brookfield
>> *Sent:* Thursday, March 30, 2023 2:51 PM
>> *To:* Christopher Hawker <chris at thesysadmin.dev>; Greg Lipschitz <
>> glipschitz at summitinternet.com.au>; Rob Thomas <xrobau at gmail.com>; <
>> ausnog at lists.ausnog.net> <ausnog at lists.ausnog.net>
>> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack.
>>
>>
>>
>> To be fair, they likely don’t know much yet and things are probably
>> pretty hectic…. Give them time, crisis management is probably only kicking
>> in now.
>>
>>
>>
>> *From:* AusNOG <ausnog-bounces at lists.ausnog.net> *On Behalf Of *Christopher
>> Hawker
>> *Sent:* Thursday, March 30, 2023 3:31 PM
>> *To:* Greg Lipschitz <glipschitz at summitinternet.com.au>; Rob Thomas <
>> xrobau at gmail.com>; <ausnog at lists.ausnog.net> <ausnog at lists.ausnog.net>
>> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack.
>>
>>
>>
>> It appears their sales team have no info regarding this. Just rang our
>> Senior AM at 3CX and they've advised that they have no information, and
>> that they are referring anyone who calls to their technical teams via
>> support tickets in the 3CX portal.
>>
>>
>>
>> Not a good look for them.
>>
>>
>>
>> CH
>>
>>
>>
>> Get Outlook for Android <https://aka.ms/AAb9ysg>
>> ------------------------------
>>
>> *From:* AusNOG <ausnog-bounces at lists.ausnog.net> on behalf of Greg
>> Lipschitz <glipschitz at summitinternet.com.au>
>> *Sent:* Thursday, March 30, 2023 3:09:45 PM
>> *To:* Rob Thomas <xrobau at gmail.com>; <ausnog at lists.ausnog.net> <
>> ausnog at lists.ausnog.net>
>> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack.
>>
>>
>>
>> Here is a list of commands (or make a shell script) to stop it phoning
>> home and getting more payload.
>>
>>
>>
>> # Disable 3CX Unattended-Upgrades Service
>>
>> systemctl stop unattended-upgrades
>>
>>
>>
>> # Collect the version of 3CX Desktop Apps on the Server
>>
>>
>>
>> cd /var/lib/3cxpbx/Instance1/Data/Http/electron
>>
>> ls -la * > /root/3cx-desktop-versions.log
>>
>>
>>
>> # Remove the files
>>
>>
>>
>> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg
>>
>> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip
>>
>> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi
>>
>> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg
>>
>>
>>
>>
>>
>>
>> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5
>>
>>
>>
>>
>>
>> Sadly, 3CX haven't even acknowledged this yet.
>>
>> It would seem that their whole CI-CD pipeline has been compromised
>>
>>
>>
>> Greg.
>>
>>
>>
>>
>>
>> *Greg Lipschitz**​*
>>
>>  |
>>
>> *Founder & CEO*
>>
>>  |
>>
>> *Summit Internet*
>>
>> *glipschitz at summitinternet.com.au* <glipschitz at summitinternet.com.au>
>>
>> *summitinternet.com.au* <http://summitinternet.com.au>
>>
>> *1300 049 749* <1300%20049%20749>
>>
>> *Unit 2, 31-39 Norcal Road, Nunawading VIC 3131*
>> <https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858>
>>
>> [image: Summit Internet] <http://summitinternet.com.au/>
>>
>>
>> ------------------------------
>>
>> *From:* AusNOG <ausnog-bounces at lists.ausnog.net> on behalf of Rob Thomas
>> <xrobau at gmail.com>
>> *Sent:* 30 March 2023 14:54
>> *To:* <ausnog at lists.ausnog.net> <ausnog at lists.ausnog.net>
>> *Subject:* [AusNOG] Critical 3CX Windows/Mac hack.
>>
>>
>>
>> As no-one's mentioned it here yet, I just thought I'd bring up the
>> zero-day, in the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps.
>>
>>
>>
>> If you, or you have clients, running 3CX, make sure they ARE NOT using
>> the app. If they are, their machines are probably already owned, and all
>> their stored credentials and session cookies have been leaked.
>>
>>
>>
>>
>> https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/
>> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F&data=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D&reserved=0>
>>
>>
>>
>> This is really bad. Sorry 8-(
>>
>>
>>
>> --Rob
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> https://lists.ausnog.net/mailman/listinfo/ausnog
>>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>


-- 
veg·e·tar·i·an:
Ancient tribal slang for the village idiot who can't hunt, fish or ride
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/c1afe638/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 984 bytes
Desc: not available
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/c1afe638/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 10728 bytes
Desc: not available
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/c1afe638/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1930 bytes
Desc: not available
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/c1afe638/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 3004 bytes
Desc: not available
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/c1afe638/attachment-0007.png>

More information about the AusNOG mailing list