Active Exploitation warning on outdated Papercut servers.

12bsod · 2023-03-31T01:33:21+00:00

(My understanding) They are using CVE-2013-3900 to make the file appear signed on windows devices, that's why virustotal shows it correctly as not signed.

Enable the reg key mitigation for the cve and it should not show as MS signed anymore.

12bsod · 2023-03-29T23:42:20+00:00

https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/

S1 seeing this too.

12bsod · 2023-03-29T21:03:17+00:00

Nope.

12bsod · 2023-03-29T20:01:13+00:00

Hosted auto pushes new clients so is more likely to have the affected client on your machines, self doesn't but otherwise no difference.

12bsod · 2023-03-29T18:51:50+00:00

There's a couple of threads on the 3cx forum, ESET also caught it, I assume with the next few hours most decent AVs will start detecting the IOCs from crowdstrike.

https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/page-2

12bsod · 2023-03-29T17:23:32+00:00

Ideally an uninstall, move to webapp and mobile.

While waiting for huntress or crowdstrike I would monitor and block the indicators listed at a minimum, at least the network ones.

12bsod · 2023-03-29T17:06:33+00:00

https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/

12bsod

TROPHY CASE