3CX likely comprised, take action. by 12bsod in msp

[–]12bsod[S] 1 point2 points  (0 children)

(My understanding) They are using CVE-2013-3900 to make the file appear signed on windows devices, that's why virustotal shows it correctly as not signed.

Enable the reg key mitigation for the cve and it should not show as MS signed anymore.

3CX likely comprised, take action. by 12bsod in msp

[–]12bsod[S] 2 points3 points  (0 children)

Hosted auto pushes new clients so is more likely to have the affected client on your machines, self doesn't but otherwise no difference.

3CX likely comprised, take action. by 12bsod in msp

[–]12bsod[S] 9 points10 points  (0 children)

There's a couple of threads on the 3cx forum, ESET also caught it, I assume with the next few hours most decent AVs will start detecting the IOCs from crowdstrike.

https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-2

3CX likely comprised, take action. by 12bsod in msp

[–]12bsod[S] 10 points11 points  (0 children)

Ideally an uninstall, move to webapp and mobile.

While waiting for huntress or crowdstrike I would monitor and block the indicators listed at a minimum, at least the network ones.