[AusNOG] Critical 3CX Windows/Mac hack.
Matthew Mace
matthew at htsol.com.au
Thu Mar 30 16:58:59 AEDT 2023
Interesting!
How long ago did it start seeing it and was It standard defender or Endpoint Business?
Matthew Mace
Director
Honest Technology Solutions
P: 07 3188 7244
E: matthew at htsol.com.au<mailto:matthew at htsol.com.au>
www.htsol.com.au<http://www.htsol.com.au/>
"Keeping IT Honest"
[cid:image001.png at 01D96320.88ED0BC0]
From: Greg Lipschitz <glipschitz at summitinternet.com.au>
Sent: Thursday, March 30, 2023 3:48 PM
To: Matthew Mace <matthew at htsol.com.au>; Nathan Brookfield <Nathan.Brookfield at iperium.com.au>; Christopher Hawker <chris at thesysadmin.dev>; Rob Thomas <xrobau at gmail.com>; <ausnog at lists.ausnog.net> <ausnog at lists.ausnog.net>
Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.
Windows Defender picked it up too.
Greg Lipschitz
|
Founder & CEO
|
Summit Internet
glipschitz at summitinternet.com.au<mailto:glipschitz at summitinternet.com.au>
summitinternet.com.au<http://summitinternet.com.au>
1300 049 749<tel:1300%20049%20749>
Unit 2, 31-39 Norcal Road, Nunawading VIC 3131<https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858>
[cid:image002.png at 01D96320.88ED0BC0]
[cid:image003.png at 01D96320.88ED0BC0]
[Summit Internet]<http://summitinternet.com.au/>
[cid:image005.png at 01D96320.88ED0BC0]
________________________________
From: Matthew Mace <matthew at htsol.com.au>
Sent: 30 March 2023 15:57
To: Nathan Brookfield <Nathan.Brookfield at iperium.com.au>; Christopher Hawker <chris at thesysadmin.dev>; Greg Lipschitz <glipschitz at summitinternet.com.au>; Rob Thomas <xrobau at gmail.com>; <ausnog at lists.ausnog.net> <ausnog at lists.ausnog.net>
Subject: RE: [AusNOG] Critical 3CX Windows/Mac hack.
You don't often get email from matthew at htsol.com.au. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
Can anyone definitively confirm that they’ve personally seen it get picked up by anything else than S1?
In addition to this anyone that has had it installed at a site and also run a premium DNS filtering service (Umbrella, DNS Filter etc.) and/or premium routers with DPI (Sonicwall, Firebox etc.), do you know if they picked up this traffic and stopped it? I would be hoping so.
Definitely curious to know either way.
Matthew Mace
From: AusNOG <ausnog-bounces at lists.ausnog.net> On Behalf Of Nathan Brookfield
Sent: Thursday, March 30, 2023 2:51 PM
To: Christopher Hawker <chris at thesysadmin.dev>; Greg Lipschitz <glipschitz at summitinternet.com.au>; Rob Thomas <xrobau at gmail.com>; <ausnog at lists.ausnog.net> <ausnog at lists.ausnog.net>
Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.
To be fair, they likely don’t know much yet and things are probably pretty hectic…. Give them time, crisis management is probably only kicking in now.
From: AusNOG <ausnog-bounces at lists.ausnog.net<mailto:ausnog-bounces at lists.ausnog.net>> On Behalf Of Christopher Hawker
Sent: Thursday, March 30, 2023 3:31 PM
To: Greg Lipschitz <glipschitz at summitinternet.com.au<mailto:glipschitz at summitinternet.com.au>>; Rob Thomas <xrobau at gmail.com<mailto:xrobau at gmail.com>>; <ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>> <ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>>
Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.
It appears their sales team have no info regarding this. Just rang our Senior AM at 3CX and they've advised that they have no information, and that they are referring anyone who calls to their technical teams via support tickets in the 3CX portal.
Not a good look for them.
CH
Get Outlook for Android<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FAAb9ysg&data=05%7C01%7Cglipschitz%40summitinternet.com.au%7C28ab046f470a4f19932b08db30db3490%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157490273890466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LeXZsLN4cUATWMtiKqKRMgdDICBmFCmTUpQ3wZ%2FBGK4%3D&reserved=0>
________________________________
From: AusNOG <ausnog-bounces at lists.ausnog.net<mailto:ausnog-bounces at lists.ausnog.net>> on behalf of Greg Lipschitz <glipschitz at summitinternet.com.au<mailto:glipschitz at summitinternet.com.au>>
Sent: Thursday, March 30, 2023 3:09:45 PM
To: Rob Thomas <xrobau at gmail.com<mailto:xrobau at gmail.com>>; <ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>> <ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>>
Subject: Re: [AusNOG] Critical 3CX Windows/Mac hack.
Here is a list of commands (or make a shell script) to stop it phoning home and getting more payload.
# Disable 3CX Unattended-Upgrades Service
systemctl stop unattended-upgrades
# Collect the version of 3CX Desktop Apps on the Server
cd /var/lib/3cxpbx/Instance1/Data/Http/electron
ls -la * > /root/3cx-desktop-versions.log
# Remove the files
rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg
rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip
rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi
rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg
https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.3cx.com%2Fcommunity%2Fthreads%2Fthreat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806%2Fpage-5&data=05%7C01%7Cglipschitz%40summitinternet.com.au%7C28ab046f470a4f19932b08db30db3490%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157490273890466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=gBvUcr9Pkokg10aeP864qVSsMZDg6KE%2FuuDUDi2imtE%3D&reserved=0>
Sadly, 3CX haven't even acknowledged this yet.
It would seem that their whole CI-CD pipeline has been compromised
Greg.
Greg Lipschitz
|
Founder & CEO
|
Summit Internet
glipschitz at summitinternet.com.au<mailto:glipschitz at summitinternet.com.au>
summitinternet.com.au<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsummitinternet.com.au%2F&data=05%7C01%7Cglipschitz%40summitinternet.com.au%7C28ab046f470a4f19932b08db30db3490%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157490273890466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zO2mC4vUjaIW7YOuPf7i45hrukQ5fRzyFikE1GWDZjQ%3D&reserved=0>
1300 049 749<tel:1300%20049%20749>
Unit 2, 31-39 Norcal Road, Nunawading VIC 3131<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.google.com%2Fmaps%3Fcid%3D12522583051503623677%26_ga%3D2.149009334.1057584350.1554770858-1081443428.1554770858&data=05%7C01%7Cglipschitz%40summitinternet.com.au%7C28ab046f470a4f19932b08db30db3490%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157490273890466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VkgdWHriLjc1epWzbMAJ6U7ksoRzTvp6An1JpnbAt1k%3D&reserved=0>
[cid:image002.png at 01D96320.88ED0BC0]
[cid:image003.png at 01D96320.88ED0BC0]
[Summit Internet]<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsummitinternet.com.au%2F&data=05%7C01%7Cglipschitz%40summitinternet.com.au%7C28ab046f470a4f19932b08db30db3490%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157490273890466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zO2mC4vUjaIW7YOuPf7i45hrukQ5fRzyFikE1GWDZjQ%3D&reserved=0>
[cid:image005.png at 01D96320.88ED0BC0]
________________________________
From: AusNOG <ausnog-bounces at lists.ausnog.net<mailto:ausnog-bounces at lists.ausnog.net>> on behalf of Rob Thomas <xrobau at gmail.com<mailto:xrobau at gmail.com>>
Sent: 30 March 2023 14:54
To: <ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>> <ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>>
Subject: [AusNOG] Critical 3CX Windows/Mac hack.
As no-one's mentioned it here yet, I just thought I'd bring up the zero-day, in the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps.
If you, or you have clients, running 3CX, make sure they ARE NOT using the app. If they are, their machines are probably already owned, and all their stored credentials and session cookies have been leaked.
https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F&data=05%7C01%7Cglipschitz%40summitinternet.com.au%7C28ab046f470a4f19932b08db30db3490%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157490273890466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NUiZuLaVjcCKlwNPMt1Np84joAu8dkLObF0L7rfce6s%3D&reserved=0>
This is really bad. Sorry 8-(
--Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/de259af3/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 17808 bytes
Desc: image001.png
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/de259af3/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 984 bytes
Desc: image002.png
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/de259af3/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 10728 bytes
Desc: image003.png
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/de259af3/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1930 bytes
Desc: image004.png
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/de259af3/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 3004 bytes
Desc: image005.png
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20230330/de259af3/attachment-0004.png>
More information about the AusNOG
mailing list