They've pulled the installers from their website and refer people to the web client...which is not much of a start...
On 2023-03-30 14:09 Greg Lipschitz wrote: > Here is a list of commands (or make a shell script) to stop it phoning home > and getting more payload. > > # Disable 3CX Unattended-Upgrades Service > > systemctl stop unattended-upgrades > > # Collect the version of 3CX Desktop Apps on the Server > > cd /var/lib/3cxpbx/Instance1/Data/Http/electron > ls -la * > /root/3cx-desktop-versions.log > > # Remove the files > > rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg > rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip > rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi > rm -rf /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg > > > https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-5 > > > Sadly, 3CX haven't even acknowledged this yet. > It would seem that their whole CI-CD pipeline has been compromised > > Greg. > > > > Greg Lipschitz > | > Founder & CEO > | > Summit Internet > *glipsch...@summitinternet.com.au* > *summitinternet.com.au* > *1300 049 749* <tel:1300%20049%20749> > *Unit 2, 31-39 Norcal Road, Nunawading VIC 3131* > <https://www.google.com/maps?cid=12522583051503623677&_ga=2.149009334.1057584350.1554770858-1081443428.1554770858> > > > Summit Internet <http://summitinternet.com.au/> > > > > *From:* AusNOG <ausnog-boun...@lists.ausnog.net> on behalf of Rob Thomas > <xro...@gmail.com> > *Sent:* 30 March 2023 14:54 > *To:* <ausnog@lists.ausnog.net> <ausnog@lists.ausnog.net> > *Subject:* [AusNOG] Critical 3CX Windows/Mac hack. > > As no-one's mentioned it here yet, I just thought I'd bring up the zero-day, > in the wild, active RIGHT NOW, trojan 3CX Windows and Mac apps. > > If you, or you have clients, running 3CX, make sure they ARE NOT using the > app. If they are, their machines are probably already owned, and all their > stored credentials and session cookies have been leaked. > > https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/amp/ > > <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fhackers-compromise-3cx-desktop-app-in-a-supply-chain-attack%2Famp%2F&data=05%7C01%7Cglipschitz%40summitinternet.com.au%7C5134fed0ee3f4dbc894808db30d2a12f%7C0838a12f226e43dfa6e4bb63d2643a7e%7C0%7C0%7C638157453430051909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UvNTww7E05nvQnaDQ25Qc8XytZFC%2FhIseT3MHYckCNM%3D&reserved=0> > > This is really bad. Sorry 8-( > > --Rob > > _______________________________________________ > AusNOG mailing list > AusNOG@lists.ausnog.net > https://lists.ausnog.net/mailman/listinfo/ausnog >
_______________________________________________ AusNOG mailing list AusNOG@lists.ausnog.net https://lists.ausnog.net/mailman/listinfo/ausnog