ALERT 3CX client Backdoor Part 2

www.3cx.com

3CX DesktopApp Security Alert

Hi As many of you have noticed the 3CX DesktopApp has a malware in it. It affects the Windows Electron client for customers running update 7. It was reported to us yesterday night and we are working on an update to the DesktopApp which we will release in the coming hours. The best way to go...
www.3cx.com www.3cx.com
 
Yes I see that. 8 days after users starting reporting the issue a Blog was finally created. No emails to any users or partners yet.
 
mastodon.incrediblepbx.net

Catalin Cimpanu (@[email protected])

Attached: 1 image Some useful links on the 3CX incident: -CrowdStrike (attribution to Lazarus): https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/ -SentinelOne (dropping new infostealer)...
mastodon.incrediblepbx.net mastodon.incrediblepbx.net
 
I wonder how this happened in the first place. Are they using some sort of OSS that had an exploit in it? Did they hire people from overseas to write the app and they inserted it? If this was all produced in-house, I don't see how it could have that exploit unless they had a disgruntled employee ??
 
krzykat said:
I wonder how this happened in the first place. Are they using some sort of OSS that had an exploit in it? Did they hire people from overseas to write the app and they inserted it? If this was all produced in-house, I don't see how it could have that exploit unless they had a disgruntled employee ??
Click to expand...
I have seen where some sites were compromised and they uploaded a new version of the software which had been infected with malware.

I recall even a Microsoft CD was compromised and they were sending it out with malware on it.
 
If you manage 3CX sites, you probably should read this PC Mag article documenting how the attack works and the scope of what may lie ahead. 3CX's consultant, Mandiant, presumably will cover this in more detail in coming days.
 
krzykat said:
I wonder how this happened in the first place. Are they using some sort of OSS that had an exploit in it? Did they hire people from overseas to write the app and they inserted it? If this was all produced in-house, I don't see how it could have that exploit unless they had a disgruntled employee ??
Click to expand...
It's an interesting read, bundled library that they compiled in the app using git...

Best of luck to anyone compiling an app using git, I prefer make, does what it says.
 
Wow - this really jumps out at me. Is this possible this company has grown this much, this fast?

The company has claimed that some 600,000 organizations worldwide — with more than 12 million daily users — currently use its 3CX DesktopApp.
 
ChatGPT Response:

CVE-2013-3900 is a vulnerability in the Windows kernel-mode drivers that can allow an attacker to execute arbitrary code with kernel-level privileges. This vulnerability occurs due to improper handling of certain objects in memory by the Windows kernel-mode drivers. An attacker can exploit this vulnerability by running a specially crafted application that can pass malicious input to the affected drivers, leading to the execution of arbitrary code with kernel-level privileges.

This vulnerability was rated as critical by Microsoft because an attacker who successfully exploits this vulnerability can take complete control of an affected system, install programs, view, change, or delete data, or create new accounts with full user rights.
Click to expand...
 
WHY wouldn't MS have this as a patch that gets automatically done with windows update?
 
krzykat said:
WHY wouldn't MS have this as a patch that gets automatically done with windows update?
Click to expand...
The reason it's not default is because it can break things. Random things, without warning that would take the app developer to fix (because they are not Microsoft things they are 3rd party things)

It's on the user to assess if it doesn't break shit they need.

This is one of those where there is no win for MS. If they enforce and make it opt-out they break random stuff and generate a swarm of support issues and bad-will. If they don't enforce then when that "1 in a million" shot of successful exploitation sticks it in their ear they get bad press and a bad-will.

Part of the problem of being so ubiquitous; damned if they do damned if they don't.

¯\_(ツ)_/¯
 
You must log in or register to reply here.

Members online

No members online now.
Total: 27 (members: 0, guests: 27)

Latest Posts

Forum statistics

Threads
26,696
Messages
174,453
Members
20,265
Latest member
irenelanda64
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top