[AusNOG] Critical 3CX Windows/Mac hack.

Jrandombob jrandombob at darkglade.com
Thu Mar 30 16:53:52 AEDT 2023


Yeah, some of those forum threads are IMPRESSIVELY trainwrecky, I think the
most succinct evaluation I've seen is this one;
"Seriously. Your EDR tells you that your phone client is behaving like a C2
talking to North Korea, and your response is to put it in the whitelist?
Wow..."

On Thu, Mar 30, 2023 at 4:42 PM DaZZa <dazzagibbs at gmail.com> wrote:

> From a security perspective, the utterly terrifying part of most of these
> responses boils down to "Oh, must be a glitch in the AV, I'll *whitelist*
> it so it doesn;t get caught".
>
> Jesus Wept. I'd be bashing heads if anyone in my company even suggested
> that without a much more thorough investigation!
>
> D
>
> On Thu, 30 Mar 2023 at 16:08, Alexander Neilson <alexander at neilson.net.nz>
> wrote:
>
>> I haven't seen it personally
>>
>> However others are reporting it as separate investigations they have seen
>> the loader execute:
>>
>> https://www.todyl.com/blog/post/threat-advisory-3cx-softphone-telephony-campaign
>>
>> https://www.3cx.com/community/threads/3cx-desktop-app-vulnerability-security-group-contact.119930/
>> - Reports ESET detected it - possibly using signature / hash from S1
>>
>> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558449
>> -  Cortex xdr Paloalto
>>
>> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558708
>> - CrowdStrike
>>
>> https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/
>> - References Sophos
>>
>>
>> I am pretty confident that if this isn't a malicious actor doing this
>> then 3CX has performed the mother of all response tests on its customers
>> over the past week and should have had a better reply than silence when
>> they were asked about it.
>>
>> Regards
>> Alexander
>>
>> Alexander Neilson
>> Neilson Productions Limited
>>
>> alexander at neilson.net.nz
>> 021 329 681
>> 022 456 2326
>>
>>
>> On Thu, 30 Mar 2023 at 17:57, Matthew Mace <matthew at htsol.com.au> wrote:
>>
>>> Can anyone definitively confirm that they’ve personally seen it get
>>> picked up by anything else than S1?
>>>
>>>
>>>
>>> In addition to  this anyone that has had it installed at a site and also
>>> run a premium DNS filtering service (Umbrella, DNS Filter etc.) and/or
>>> premium routers with DPI (Sonicwall, Firebox etc.), do you know if they
>>> picked up this traffic and stopped it? I would be hoping so.
>>>
>>>
>>>
>>> Definitely curious to know either way.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *Matthew Mace*
>>>
>>>
>>>
>>>
>>>
>>> *From:* AusNOG <ausnog-bounces at lists.ausnog.net> *On Behalf Of *Nathan
>>> Brookfield
>>> *Sent:* Thursday, March 30, 2023 2:51 PM
>>> *To:* Christopher Hawker <chris at thesysadmin.dev>; Greg Lipschitz <
>>> glipschitz at summitinternet.com.au>; Rob Thomas <xrobau at gmail.com>; <
>>> ausnog at lists.ausnog.net> <ausnog at lists.ausnog.net>
>>> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack.
>>>
>>>
>>>
>>> To be fair, they likely don’t know much yet and things are probably
>>> pretty hectic…. Give them time, crisis management is probably only kicking
>>> in now.
>>>
>>>
>>>
>>> *From:* AusNOG <ausnog-bounces at lists.ausnog.net> *On Behalf Of *Christopher
>>> Hawker
>>> *Sent:* Thursday, March 30, 2023 3:31 PM
>>> *To:* Greg Lipschitz <glipschitz at summitinternet.com.au>; Rob Thomas <
>>> xrobau at gmail.com>; <ausnog at lists.ausnog.net> <ausnog at lists.ausnog.net>
>>> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack.
>>>
>>>
>>>
>>> It appears their sales team have no info regarding this. Just rang our
>>> Senior AM at 3CX and they've advised that they have no information, and
>>> that they are referring anyone who calls to their technical teams via
>>> support tickets in the 3CX portal.
>>>
>>>
>>>
>>> Not a good look for them.
>>>
>>>
>>>
>>> CH
>>>
>>>
>>>
>>> Get Outlook for Android <https://aka.ms/AAb9ysg>
>>> ------------------------------
>>>
>>> *From:* AusNOG <ausnog-bounces at lists.ausnog.net> on behalf of Greg
>>> Lipschitz <glipschitz at summitinternet.com.au>
>>> *Sent:* Thursday, March 30, 2023 3:09:45 PM
>>> *To:* Rob Thomas <xrobau at gmail.com>; <ausnog at lists.ausnog.net> <
>>> ausnog at lists.ausnog.net>
>>> *Subject:* Re: [AusNOG] Critical 3CX Windows/Mac hack.
>>>
>>>
>>>
>>> Here is a list of commands (or make a shell script) to stop it phoning
>>> home and getting more payload.
>>>
>>>
>>>
>>> # Disable 3CX Unattended-Upgrades Service
>>>
>>> systemctl stop unattended-upgrades
>>>
>>>
>>>
>>> # Collect the version of 3CX Desktop Apps on the Server
>>>
>>>
>>>
>>> cd /var/lib/3cxpbx/Instance1/Data/Http/electron
>>>
>>> ls -la * > /root/3cx-desktop-versions.log
>>>
>>>
>>>
>>> # Remove the files
>>>
>>>
>>>
>>> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg
>>>
>>> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip
>>>
>>> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi
>>>
>>> rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg
>>>
>>>
>>>
>>>
>>>
>>>
>>> https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5
>>>
>>>
>>>
>>>
>>>
>>> Sadly, 3CX haven't even acknowledged this yet.
>>>
>>> It would seem that their whole CI-CD pipeline has been compromised
>>>
>>>
>>>
>>> Greg.
>>>
>>>
>>>
>>>
>>>
>>> *Greg Lipschitz**​*
>>>
>>>  |
>>>
>>> *Founder & CEO*
>>>
>>>  |
>>>
>>> *Summit Internet*
>>>
>>> *glipschitz at summitinternet.com.au* <glipschitz at summitinternet.com.au>
>>>
>>> *summitinternet.com.au* <http://summitinternet.com.au>
>>>
>>> *1300 049 749* <1300%20049%20749>
>>>
>>> *Unit 2, 31-39 Norcal Road, Nunawading VIC 3131*
>>> <https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858>
>>>
>>> [image: Summit Internet] <http://summitinternet.com.au/>
>>>
>>>
>>> ------------------------------
>>>
>>> *From:* AusNOG <ausnog-bounces at lists.ausnog.net> on behalf of Rob
>>> Thomas <xrobau at gmail.com>
>>> *Sent:* 30 March 2023 14:54
>>> *To:* <ausnog at lists.ausnog.net> <ausnog at lists.ausnog.net>
>>> *Subject:* [AusNOG] Critical 3CX Windows/Mac hack.
>>>
>>>
>>>
>>> As no-one's mentioned it here yet, I just thought I'd bring up the
>>> zero-day, in the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps.
>>>
>>>
>>>
>>> If you, or you have clients, running 3CX, make sure they ARE NOT using
>>> the app. If they are, their machines are probably already owned, and all
>>> their stored credentials and session cookies have been leaked.
>>>
>>>
>>>
>>>
>>> https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/
>>> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F&data=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D&reserved=0>
>>>
>>>
>>>
>>> This is really bad. Sorry 8-(
>>>
>>>
>>>
>>> --Rob
>>>
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> https://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> https://lists.ausnog.net/mailman/listinfo/ausnog
>>
>
>
> --
> veg·e·tar·i·an:
> Ancient tribal slang for the village idiot who can't hunt, fish or ride
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/2f846e4b/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 984 bytes
Desc: not available
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/2f846e4b/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 10728 bytes
Desc: not available
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/2f846e4b/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1930 bytes
Desc: not available
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/2f846e4b/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 3004 bytes
Desc: not available
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/2f846e4b/attachment-0007.png>


More information about the AusNOG mailing list