<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">

Here is a list of commands (or make a shell script) to stop it phoning home and getting more payload.</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">

<div style="color:#000000;background-color:#ffffff;font-family:Menlo, Monaco, 'Courier New', monospace;font-weight:normal;font-size:14px;line-height:21px">

<span><span style="color:#008000" class="ContentPasted0"># Disable 3CX Unattended-Upgrades Service</span></span><br class="ContentPasted0">

<br class="ContentPasted0">

<div><span class="ContentPasted0">systemctl stop unattended-upgrades</span></div>

<br class="ContentPasted0">

<div><span style="color:#008000" class="ContentPasted0"># Collect the version of 3CX Desktop Apps on the Server</span></div>

<br class="ContentPasted0">

<div><span style="color:#795e26" class="ContentPasted0">cd</span><span class="ContentPasted0"> /var/lib/3cxpbx/Instance1/Data/Http/electron</span></div>

<div><span class="ContentPasted0">ls -la * > /root/3cx-desktop-versions.log</span></div>

<br class="ContentPasted0">

<div><span style="color:#008000" class="ContentPasted0"># Remove the files</span></div>

<br class="ContentPasted0">

<div><span class="ContentPasted0">rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg</span></div>

<div><span class="ContentPasted0">rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip</span></div>

<div><span class="ContentPasted0">rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi</span></div>

<span><span class="ContentPasted0">rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg</span></span></div>

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted1">

<a href="https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5" id="LPlnk919454">https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5</a><br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted1">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted1">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted1">

Sadly, 3CX haven't even acknowledged this yet.</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted1">

It would seem that their whole CI-CD pipeline has been compromised</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted1">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted1">

Greg. </div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted1">

<br>

</div>

<div id="appendonsend"></div>

<br /><div style="mso-line-height-rule:exactly;-webkit-text-size-adjust:100%;font-size:1px;"><table cellpadding="0" cellspacing="0" border="0" style="background-color:#FFFFFF;border-collapse:collapse;font-size:1px;line-height:normal;"><tr style="font-size:0;line-height:15px;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="border-collapse:collapse;font-size:0;font-style:normal;font-weight:normal;white-space:nowrap;"><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="border-collapse:collapse;font-size:0;color:#000001;font-style:normal;font-weight:bold;white-space:nowrap;text-decoration:none;"><tr style="font-size:12px;"><td align="left" style="vertical-align:top;text-align:left;font-family:Arial,Helvetica Neue,Helvetica,sans-serif;">Greg Lipschitz<span style="font-family:remialcxesans;font-size:1px;color:#FFFFFF;line-height:1px;"></span></td><td align="left" style="vertical-align:top;text-align:left;font-family:Arial,Helvetica Neue,Helvetica,sans-serif;font-weight:normal;white-space:normal;"> | </td><td align="left" style="vertical-align:top;text-align:left;font-family:Arial,Helvetica Neue,Helvetica,sans-serif;">Founder & CEO</td><td align="left" style="vertical-align:top;text-align:left;font-family:Arial,Helvetica Neue,Helvetica,sans-serif;font-weight:normal;white-space:normal;"> | </td><td align="left" style="vertical-align:top;text-align:left;font-family:Arial,Helvetica Neue,Helvetica,sans-serif;">Summit Internet</td></tr></table></td></tr><tr style="font-size:12px;"><td align="left" style="vertical-align:top;text-align:left;font-family:Arial,Helvetica Neue,Helvetica,sans-serif;"><a href="mailto:glipschitz@summitinternet.com.au" target="_blank" id="LPlnk689713" style="color:#253374;text-decoration:underline;"><strong style="font-weight:normal;">glipschitz@summitinternet.com.au</strong></a></td></tr><tr style="font-size:12px;"><td align="left" style="vertical-align:top;text-align:left;font-family:Arial,Helvetica Neue,Helvetica,sans-serif;"><a href="http://summitinternet.com.au" target="_blank" id="LPlnk689713" style="color:#253374;text-decoration:underline;"><strong style="font-weight:normal;">summitinternet.com.au</strong></a></td></tr><tr style="font-size:12px;"><td align="left" style="vertical-align:top;text-align:left;font-family:Arial,Helvetica Neue,Helvetica,sans-serif;"><a href="tel:1300%20049%20749" target="_blank" id="LPlnk689713" style="color:#000001;text-decoration:none;"><strong style="font-weight:normal;">1300 049 749</strong></a></td></tr></table></td></tr><tr style="font-size:0;line-height:15px;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="border-collapse:collapse;font-size:0;font-style:normal;font-weight:normal;white-space:nowrap;"><tr style="font-size:12px;"><td align="left" style="vertical-align:top;text-align:left;font-family:Arial,Helvetica Neue,Helvetica,sans-serif;"><a href="https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858" target="_blank" id="LPlnk689713" style="color:#000001;text-decoration:none;"><strong style="font-weight:normal;">Unit 2, 31-39 Norcal Road, Nunawading VIC 3131</strong></a></td></tr></table></td></tr><tr style="font-size:0;"><td align="left" style="padding:10px 0 0;vertical-align:top;"><map id="map_a9b2fa13-5232-4d0a-8a86-e22c4ddca093" name="map_a9b2fa13-5232-4d0a-8a86-e22c4ddca093"><area shape="rect" coords="2,2,20,20" href="https://www.facebook.com/summitinternetau/" alt="Facebook" title="Facebook" target="_blank" /><area shape="rect" coords="24,2,42,20" href="https://twitter.com/summitgroupau/" alt="Twitter" title="Twitter" target="_blank" /><area shape="rect" coords="46,2,64,20" href="https://www.linkedin.com/company/the-summit-group-australia-pty-ltd" alt="LinkedIn" title="LinkedIn" target="_blank" /></map><img usemap="#map_a9b2fa13-5232-4d0a-8a86-e22c4ddca093" src="cid:image587573.png@9D56C314.E6D7594C" width="66" height="22" border="0" alt="" style="min-width:66px;font-size:0;" /></td></tr><tr style="font-size:0;"><td align="center" style="vertical-align:middle;"><img src="cid:image244471.png@C75A89D0.8905FE7F" width="590" height="106" border="0" alt="" style="min-width:590px;font-size:0;" /></td></tr><tr style="font-size:0;"><td align="left" style="padding:10px 0 0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="width:100%;border-collapse:collapse;font-size:0;"><tr style="font-size:0;"><td align="left" style="vertical-align:middle;"><a href="http://summitinternet.com.au" target="_blank" id="LPlnk689713" style="text-decoration:none;"><img src="cid:image947901.png@9DFBE63C.7D08EEF7" width="179" height="33" border="0" title="Summit Internet" alt="Summit Internet" style="min-width:179px;font-size:12px;" /></a></td><td align="right" style="vertical-align:middle;"><img src="cid:image891048.png@51ACA080.56DCC416" width="278" height="66" border="0" alt="" style="min-width:278px;font-size:0;" /></td></tr></table></td></tr></table></div><br /><hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> AusNOG <ausnog-bounces@lists.ausnog.net> on behalf of Rob Thomas <xrobau@gmail.com><br>

<b>Sent:</b> 30 March 2023 14:54<br>

<b>To:</b> <ausnog@lists.ausnog.net> <ausnog@lists.ausnog.net><br>

<b>Subject:</b> [AusNOG] Critical 3CX Windows/Mac hack.</font>

<div> </div>

</div>

<div>

<div dir="ltr">As no-one's mentioned it here yet, I just thought I'd bring up the zero-day, in the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps.

<div><br>

</div>

<div>If you, or you have clients, running 3CX, make sure they ARE NOT using the app. If they are, their machines are probably already owned, and all their stored credentials and session cookies have been leaked.</div>

<div><br>

</div>

<div><a href="https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F&data=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D&reserved=0" originalsrc="https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/" shash="VWLwB0H97T4kqo7BQVww9QgkRweWAYP2YYHtGx5Bt8FJVVPsctP7+Z5DkmdbtZ+j7CbUadxpvaYCz6aVVbwoyhZ7dlm3M9MpvuqlG/jHXJ7pB+3JgbvNq7rlHSIqLyXmJ7DKtjGZhEhQ6OfsL+DW7ZjrQQCkiBgmmWZdbk9VVOM=">https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/</a><br>

</div>

<div><br>

</div>

<div>This is really bad. Sorry 8-(</div>

<div><br>

</div>

<div>--Rob</div>

<div><br>

</div>

</div>

</div>

</body>

</html>