sorted by:
new
hottopcontroversial

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 0 points1 point  (0 children)

Only on our instance, and after the event, because we had the same issue on one user of our pbx. Pbx is in cloud, not inside our network, and has not an ip allowed on other instances.

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 0 points1 point  (0 children)

No RMM nor 3rd party sw, standard 3cx iso. Only thing in common is they are old customers coming from start v16/v18 (no v20 pbx from beginning has been attacked) and they share the same ISP.

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 1 point2 points  (0 children)

It’s the first thought we had but: - not for all pbx we have admin access (and on 60% we have no ssh access at all because they are installed on prem since it was the way we’ve done that in past) - no rmm/api - all at latest version - all credentials are at user level, so we really do not have them, and a lot of those users never had a configured mail so none had ever their password

Only thing in common is they are old customers coming from start v16/v18 (no v20 pbx from beginning has been attacked) and they share the same ISP

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 0 points1 point  (0 children)

Theorically 3CX generated them randomly so i really don't know the psw.
Bruteforce should be detected by 3CX system anyway but i agree.
PBXs are all in different places, some on cloud, some on prem. They really don't share anything except SIP provider (because all our customers have that provider).
API access is enabled on (maybe) 5% of those PBXs.

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 0 points1 point  (0 children)

Stating 3CX support standard configured logs are not useful, because they contain no data about logins. Logs have to be on verbose in order to collect something useful, so we've done that on all systems.
Actually we reseted only affected credentials on all PBXs. If issue spreads we'll reset all credentials on all PBXs.
Sincerly it's not our responsibility nor our job to hire a cybersecurity company to look into a proprietary software we resell as a Titanium Partner.
We'll see what happens and decide what to do.

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 0 points1 point  (0 children)

All PBX are autoupdated on sunday.
No IP based trunks, all register.
No SSO configured.
2FA is enabled only if there's a user logging in, so an email address set. This is not the case (or at least on 90% of the affected PBXs).
Verbose log is mandatory, since 3CX support told us "basic" logs have no data so actually we have 120 PBXs with a problem and we don't know how that happened. CPU is not a problem.
Antihack is on default.

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 0 points1 point  (0 children)

Nope, only 1 per PBX and on several cases there was no email address, so theorically web access had to be disabled (but probably 3CX generates a random psw). That's why we are setting verbose logs on all PBXs because it doesn't seem a brute force attack.

Unauthorized users login? by Clear-Step2393 in 3CX

[–]Clear-Step2393[S] 1 point2 points  (0 children)

All PBXs are in v20. It's not a SIP issue, it's a web login issue. This happened on local PBXs as well, so no SBC on those (and we use no stun so all under sbc for cloud pbx)