3CX: How this malware almost hacked every business
HTML-код
- Опубликовано: 7 апр 2023
- 3CX: A popular phone system software for VOIP was hit by a supply chain attack, with the original source serving malware infected installers.
Buy F-Secure now with -52%: prf.hn/click/camref:1101liYab... (sponsor)
Buy the best antivirus: thepcsecuritychannel.com/best...
Join the discussion on Discord: discord.tpsc.tech/
Get your business endpoints tested by us: tpsc.tech/
Contact us for business: thepcsecuritychannel.com/contact 
Наука
I just imagined scam call centers being affected by this
Lmao im currently watching jim browning on my laptop
Should be used against them :-))
They usually run pirated versions of vicidial
I’m sure they are petri dishes for malware 😄
One of the guys that scam the scammers should get ahold of this file and execute it on their system, hopefully it would infest their entire network.
The 3CX response is somewhat typical of many businesses in general. It just shows, that making business is mostly about getting paid and avoiding as many responsibilities as possible.
It's not just about being hacked. It's about everything that is remotely tied to bearing costs, that eat away at the profit margin. Do as little as possible but get as much money as possible.
This isn't bad per se, but it often is, because businesses then try to ignore important issues like waste and environmental pollution, they hide internal data, sell customers data, do away with proper security etc. The list just goes on and on. It's true both for small and big business, the difference being the big business has a lot more capital to layer their way out of responsibility.
And if you are an honest business that cares about its customers your costs are so high compared to the unscrupulous businesses, that you go out of business very quickly. The state has become so corrupted through lobbing that it's too weak or uninterested in leveling the playing field for businesses and holding them accountable to laws that are already in place.
Current year is the spider-man meme at all levels.
. Mostly about getting paid?
It's *all* about getting paid. The product and customer care are just tools to getting paid
3CX is worse. Their CEO is a complete piece of shit and pathetic excuse for a human being. He got permabanned on reddit for doxxing someone. His policy is "ban anyone who goes against me" on the 3CX forums. 3CX resellers get treated like shit. In short, Nick Galea deserves to be pistol whipped.
That sucks, man.
It's particularly frustrating when security professionals know this software is doing something malicious but the company where the file is hosted refuses to even look into the problem.
It needs to get into the NEWS for that to happen. And unfortunately the news won’t report on it until massive damage is done. And then grannies around the world will send bogus claims to all their friends that they should unhook their phones for a week and wrap them in aluminum foil or they’ll get infected. And then granny dies because she can’t call the doctor with a medical emergency.
It just means that their "professionals" in their field are inept at doing their jobs.
This figure us becoming common day after another, which means companies are feeling safe from people's reaction since long violation of their privacy caused them not to care any more.
The "fun" part is that the threat actors used a 10 year old Windows certificate evaluation bug (CVE-2013-3900) for this supply chain attack, which has not been patched out of existence yet.
What?
30 seconds of googling shows the exact reg command to run to enable EnableCertPaddingCheck and its been released since 2013-02-13. They just don't want to enforce it themselves since they already stated it can break running environments.
@@SmugLlama1234 Oops, I've misread the BleepingComputer article on it which still mentions that upgrading to Windows 11 removes that setting. Nevertheless, it's not a well known bug, I can't blame the company for that at the very least.
@@malwaretestingfan Yeah wouldn't of prevented the attack either way but exploits like this become almost impossible to enforce a fix for when they're trying to stay backwards compatible for software 20+ years old as a slogan.
@@SmugLlama1234 Not just software, hardware as well (which requires dated software in a lot of instances) 😅
That’s however only to hide the first stage, it’s not really the root of the compromise. They could have just ship an unsigned DLL or a DLL signed by the compromised vendor.
I hope 3CX gets sued to oblivion. This is absolutely unacceptable behavior from a company that mass-distributes corporate software 😑
ain't every single corporation being ignorant when their customer data was leaked ? and did anyone sue and actually get anywhere ? be real for god sake .
if you check your mail it's probably out there in leaks and are you gonna go and sue corporation XYZ cuz they get breached ? ROFLMAO good luck !
That really shows that even with words from the companies, that isn't gonna stop malicious actors from hijacking you. Hence why FOSS is really gonna be the bigger alternative if that kind of thing keeps up.
Thanks Leo! As usual, very informative and a great breakdown of the key facts. Thanks for what you do!
Excellent video!!! This video gave me an idea for possible future PC Security Channel video: Maybe do a "top 10 most sophisticated malware threats" video, where you highlight the malware threats with the most sophisticated techniques for avoiding detection,etc. What you presented here is very impressive and I can only imagine, the bad actors will improve, especially with AI helping out. Thanks for posting!
if you try to shift the blame you have instantly lost my respect.
edit :changed trust to respect.
I agree, but when talking about security, there's no one to trust. Not even AV companies that this channel advertises.
Security is not about slapping on an AV and hoping it prevents what it prevents...
Security is about limiting the OS in a manner that these types of attacks are almost non-existent.
@@TheSpanjaMan most defently true. that is where the rule of zero trust comes from. i do realise i ment respect and not trust tho so thank you for yhat XD
Although all the evidence you've meticulously gathered clearly points to me without any doubts whatsoever, it ain't me! Yeah. LOOK AT THIS GUY INSTEAD!
Thanks for this.
I had an old (not used for 10+ months) installation of 3CX on my PC which i immediately removed.
This is absolutely beyond unacceptable.
What an informative video, as usual. Thank you. May I ask what the name of the graph program you are using is?
I am surprised, that Microsoft/Windows Defender picked it up so fast.
Finally, Microsoft at the forefront! Forefront of what exactly I don't know, but they did show up. 😄
Interesting video, thanks. Hadn't heard of 3CX before to be honest. In those areas of the public sector I'm most familiar with we tend to use MS Teams for all calls/video conferencing these days.
Too many vulnerabilities w common apps. Nuts
Switch to linux and you won't have problems my friend. You'll leave the comfort zone but for a better place.
@@fab_81 not true. Linux still has problems with the OS, apps, etc. I use Linux. You're spreading a myth that Linux is safe, like Mac and iPhone users love to spread myths that they're safe.
Linux has antivirus, rootkit hunters, etc. Linux is targeted more lately, since it's not focused on much and most servers run on Linux. The most popular smartphone is Droid, my favourite, and it's Linux-based.
Smartphones still get malware and such.
Plus, Linux doesn't have much capability with gaming since Windows is the designated OS for gaming and even Ubuntu Linux doesn't have too good of drivers. Wine may leave vulnerabilities by making some Windows stuff work on Linux. Not much works with it, and plenty of issues with apps using it. Most games made for Windows will lag on it. I've never used it though.
There is another app to make some Windows stuff work better on Linux, but it costs hundreds of dollars to use, and you might as well just have bought a Windows license.
Windows 11 is quite secure, sleek, etc. Malware just needs to be written to not have the code known, and it's good. It can also have encrypted code. Other ways to go about it too.
Just be more responsible when you use an OS online, around people, and with whatever you put into it from another device. (;
Stay up-to-date with patches, and be more careful, or just don't use smartphones, computers, and tablets then, I guess.
@@BorisJohnsonMayor beat me to it. Hehe. You got more likes too. I was just writing a longer comment. XD
Just beat it! Haha 😂😂💀MJ. :3 🔥🤝 Astral Realms 💀👻 🔥 FH RIP. Scandal debunked and many misuse the p-word too. Hehe
Cyber Security Sauna, a podcast from Finland brings guests from F-Secure all the time. I never actually seen their products
cool you finally did a video on 3CX ! Thanks :)
Not the first time nor the last - supply chain attacks are becoming more frequent . Kaseaya, Solar winds,.....there will be many more.
They will be sued out of business.
That was very much irresponsible behavior by 3cx.
playing down, ignoring, turn away
sued by whom? sueing companies in the tech industry doesn't fair well for most
@@swimfan6292 Didn't this affected companies like Pepsi?
@@nicolasramirez5789 Pepsi 100% has the means to sue if they were affected.
All be design when you let bad communist/socialist leaders indoctrinate, steal and deceive. Looking at the public school systems should wake you up. It is all a web. We need the true president, Donald Trump, and better more solid strong American leaders back. These self centered communist socialist leaders like Biden, Obama, Clinton and Harris, and any Congress and educators who go along with them, are why we have the bad policies and failing country right now. The evidence is clear. Corporations are the same in this way.
ROFLMAO it's not like they put this crap in their own software, they been hacked and 3rd party put malware in, he said it in video , it's like you are gonna sue fire cuz your property burned down , WTF you talking about. They prob gonna loose lot of business cuz their reputation is crushed now but only one you can sue is ppls who hacked malware into it and good luck finding out who it was
I am shocked at the amount of comments from people saying they've never heard of 3CX before.
Would be interesting to analyze their Linux binary as well.
Careful! You could trigger the deluded linux fan boys screaming 'linux can't get malware!' with that suggestion :)
Explained very well, thanks a lot!
Great run through, whats the name of the graph disassemble software you are using at 3:20?
Same I want to know as well
Yes i wanna know to
Found it, it's VirusTotal Graph
Great video, what is the name of the tool you used to generate the graph from the MSI ?
@The PC Security Channel
Thank you for the very helpful and educational posts! Can I request something for a future post? Because a lot of people are training Ai and installing these locally in their machines for training, can you please explore the possible risks or any trending, suspicious behavior your security contacts noticed with these codes running in the background? Thank you very much!
Well thought through plan
Good job, nice and easy explanation
What is the program you were using to see the graph of what the program is doing?
Our company had to uninstall it like crazy fast. It's interesting that this video explains what actually happened.
An important news with an interesting information about a popular software.
This feels like the Audacity/ClassicShell hack all over again. At least this one didn't overwrite our MBR
May I know where do you find out about news like this? I would like to keep myself informed to stay safe.
Is that history of detection events an Enterprise only feature?
What's that cool graph tool you used to dissect that executable? Looks kind of awesome did you every do a video on that alone?
It's VirusTotal.
You need a login for virustotal and at the top of the page is the tool
everyday i learn something thanks bro
it would have been good if you could go into the signing issue more in depth. It sounds like you're saying the actual app executable is signed with 3CX's certificate, but the entire MSI bundle is not signed. Obviously a wide attack surface if this is the case.
Thank you for the explanation
Do we know if the ffmpeg hacked DLL was procured by them in a pre-compromised version or if their built system was compromised and modifies the DLL.
Thank you for this!
Would anyone happen to know the name of the software used to pull apart the executable at
4:15 ? Thanks, and great video. :)
As someone that has worked on windows systems since win 3.1, I've stopped using antivirus software since 2008.
Had far to many times where false positives were quarantined then the OS starts writing errors and becomes a problem itself.
Since I've stopped, I haven't had to do another full reinstall of any OS and two laptops are still running xp sp2 as my media system.
Difference is I grasp the ways of internet infections and use that to prevent infections.
Only two times I had to do a fresh install was due to idiots on my computers, clicking links for a free scan.
I also us p2p and AV has caused immense loss of data due to false positives.
Currently running, win 7, win 8.1 x64, 10 and Linux, on different systems.
Currently there's a large number of society keeping AV companies running, and McAfee isn't the only company that developed viruses to justify updates that have subroutines that effectively act like trojans or data collection.
Takes me 4.5 days on average to set up a phone these days because I fully customise and I'm a rare breed in the respect that I read every single EULA, plus research new processes.
Most people are to damned dumb and just click yes to install, then wonder why they're getting problems.
That's uf they recognise they even have problems.
I'm not even surprised that NHS was on that list 😢
will malware bytes pick up any of this?
I wouldn't expect a standard antivirus to detect it right away. But I would think that a newly updated program accessing URLs it isn't supposed to would result in a block.
That is what I am wondering, Kaspersky and Bitdefender did not detect it at firs, but their firewalls 'should' have blocked the url.
How to remove this malware after it has infected ones pc?
This is pretty much SolarWinds 2.0
Only with much worse information politics. No analysis available and stupid recommendation to delete the software instead of providing a clean update.
@@berndeckenfels which icks me because it can be dll swap
The sponsor part was so fit tho
@ THE PC SECURITY CHANNEL
Do you know how I can have my VMware guest to have internet access but be isolated from the host so there is no vm escape?
What would I need and need to do?
Thanks for the video Leo. When I first saw you showing the .msi file and having a ffmpeg.dll right beside it, even though I recognized this to be a DLL injection attack, I didn't think that .msi file itself is hacked since the signatures are matching. Maybe someone downloaded from a different place which included hacked ffmpeg.dll file in the archive (probably a torrent) and then when people launched it immediately after installation from within installer (like launch the program checkbox checked on the finish page) and since it launched from the current directory with wrong path, this injection has happened and it infected immediately.
If that is the case, then it is a bug inside the official .msi installer itself for not launching the program from the correct directory. But if that is not the case, then I wonder how did the signatures match with the original. Is it the case that their devops build systems were breached?
1:48 Customer: Bro...your app got hacked
App dev: Nope, you are nitpicking and biased. I win, bye bye
"We'll die with pride, right?"
At least 3CX had a way to be contacted. Many companies try to get customers to only look at some ancient and very general FAQ's. Many companies do not list any contact details on their website.
Is that a freaking dunkey reference?
Wonder whether they word "bigot" got tossed out liberally as they were banning their customers complaining about malware.
@@vincei4252 ea support but without malware
What tool is used for graph view at 5:58?
Does someone has an idea?
At 8:04 as he scrolls down the list, there was a antivirus that detected it right from the start 1 / 59, I wonder which program it was.
I'm guessing it wasn't F-Secure :) :)
Whats that analysis program to Show Whats a program does?
What's that map that you used to show what the file does and what's inside it?
a couple questions.
Crowdstrike and SentinalOne. Never heard of those. Are those available to users or are they not made for desktops?
How soon did Windows Defender detect it compared to 3rd party AV?
those are enterprise EDR/antivirus agents installed on (typically) business hardware by MSPs.
this will keep happening over and over
Whats the name of the software used to inspect the .msi file in the video at 3:26?
Hello sir, I hope you can do a test video about Emsisoft anti-malware software, I haven't seen you do this software for a long time, about 5-6 years ago you did it, but it's old.
Thanks for that. Shared.
Yikes! I had to use 3CX for a temp system (hosted in-house with physical phones) for a couple weeks before we got a permanent phone system. 3CX had to be the worst system I've ever used. The second the new system went live, I deleted to 3CX server from the data store without even shutting it down.
I've never ever heard about this 3CX
i wanna go into cybersecurity but don't know where to start, what programming language should i start with etc can someone help me?
can you help me to fix my Windows security, my windows security wouldn't appear, and just a blank screen when I click it it cause viruses from Ocean of Games
Great Video!!
Are there any open source control software that you can purposely install to be able to control a system that you own? I want it running in background like like malware would but it reports to my own server.
Guacamole could be something for u
Open source...something everyone could edit to inject some malicious code there? Brilliant idea!😂
@@randomnickify yeah, something that anyone could inject with malicious code, but when detected - could be traced back with ease, as soon as it gets suspicious, and there would be no blame shifting or stalling, yea, that open source
@@nocoz112 I know you're trying to be sarcastic and all, but it's not as easy as it looks.
@@Johnithinuioian but closed-source vs open-source, when shit hits the fan - which one is better? obviously both have pros and cons but come on, if there's a breach in closed-source, you literally can do nothing about it, and as the video showed - it can even work against you
None of the businesses I work at don't use 3CX fortunately.
No mention that this is an electron app? Or how the attackers modified the dll that 3cx uses? :-/
👍Thanks!
Hi can you please do a test with Spybot - search and destroy and see if it’s any good against finding malware and other viruses
I think I asked this before, what is this software called? It seems interesting
the wonders of proprietary close source software
Bro, can you test Dr Web, please? As a Siberian, I have lost access to my favorite Antiviruses from the west and have to depend on Russian software (Such as Kasper and Dr Web) . But Kasper is using this as a bussiness opportunity and cranked the price up. By the way, I have been using Panda Antivirus for many years, is it even good? I never depend on AV to protect my pc, but it would be nice to know.
The more I watch your channel the more paranoid I get
Thank got I didn't do any updates and the auto-updater didn't work. I was still using an old version that wasn't infected.
Yea this is a good reason to not use auto update and defer the update until you can do it manually later on. If you keep the installer you can do a rollback too
3:18 which software do you use to see this?
Do you recommend Crowd Strike?
I used 3cx with Asterisk way before these major corps used it. It has not changed much since.
Only on businesses that had upgraded to V18, some are still on v16.
Only on Businesses that upgraded to the very latest version of V18, Update 7, which had only been available for like a week. This was caught pretty early in the scheme of things.
Is there a way to request a video of a certain program? 👀
I was looking into my files to free up some space and I saw an Antivirus installer that I have never installed.......
Correction: "an Antivirus installer that I have never downloaded before."
You only need one antivirus running at a time so if youre already using one you can delete the other.
Excellnet videos and tutorial contents.
This is why users are never given local admin rights.
As far as I can see, this would still cause problems even when running as local user rights, because the local user has access to their browser cookie store etc.
@@katrinabryce It really illustrates a major flaw in the fundamental concepts of computer security when these operating systems were being designed. Why are all privileges based on the current user? A chat client doesn't need to look at my browser history, the browser especially doesn't need access to sensitive parts of the system, etc. You really need mandatory access controls, something like SELinux, to keep stuff like this from happening. Android uses a very basic version of this for its permission system - it's certainly better than nothing.
Now imagine all of the other software that have been hacked and we don't know about.
What about vitualbox the hackers use to hack and delete files?
What’s the current status of the app? Its been cleaned from threats?
Slightly random question... Why don't ISPs get hacked?
They get hacked just like anybody else (every now and then). Companies usually try to hide the fact, of course.
Side note: Is it the F-Secure that rebranded to W-Secure recently ? Bug my mind
Yes for their business products they rebranded them to WithSecure but the consumer ones are still F-Secure.
When was this installer infected? I have been using this App for years?
On or before 22 March this year.
@@katrinabryce Thanks, I wasn't sure if that was the first version that was affected. Checked my installer, it's over 10 years old!
3:39 what is that app called?
hello, I am studying computer sciences to make a Master in cybersecurity. My laptop (Hp envy 14" model 2020) Windows 11 Pro, 8Gb RAM and 512 Gb storage, i5-1135g7
I wounder is it bad with my laptop specs if I lunch 2 Virtual machines at the same time , one for Kali and another for windows lab test ?
for your info while I study/read on Edge the laptop fan is almost always off because the laptop is cold.
Thank you in advance
The more RAM the better, 8GB is not enough anymore, 16GB RAM minimum. More cpu cores would be better also, your cpu has 8 cores.
@@dvuemedia Yeah your right more RAM is better but what happen if I run low on RAM, and I have 10Gb virtual Ram from Nvme ssd, does it make it better ?
@@MedicalStudentChannelNVMe will help, but is not a substitute. RAM has lower latency. Remember, You want to run 3 OS on your laptop at the same time, each OS need RAM to operate. Linux with low RAM could be fine, but Windows 11, probably not.
@@dvuemedia thank you for your time, I understand now
Need more RAM
What is the name of that software that shows us the msi file from within?
It's a Virustotal graph.
If I'm a business, bye bye 3CX. Start cleaning your machines.
can you try eset antivirus and see if it can remove the malware right after installing the app ?
Likely flags it on download.
I assume once the exploit is discovered, virus detecting software..... adds that to the list of things to check?
Yes but still only half of the VT engines recognize it. It is probably less for derived (different) installers using the same chain.
What government, organization, oligarch, ngo or business is behind this?
I don't get how the malware is able to bypass the windows antivirus and other antivirus on the systems.
less imposing sounding... but if you had said Enterprise or DM software, I'd have been in cold sweats
Quick Heal 💪💪💪💪
this is why we need to outsource and migrate everything to cloud and exclusively use services, serverless whatever newest cool tech to 'develop' (rather configure) 'our' products, and save customer data. Btw events like this are probably going to be used as an excuse to lock down hardware and operating systems even more, so only certain people can surveil and manage everyone. Options confuse people, create an illusion of choice.
Are you being sarcastic? If not, which one of those companies do you work for? Because there's no way you would think that unless you are getting money out of it.
Digitizing and centralizing aren't the answer, they're the problem.
Physical records are nearly impossible for random people online to get access to.
Most data shouldn't be stored anywhere online at all.
Post 2007 internet is cancer and so is everyone who joined since thanks to smart devices and wifi.
I now understand why I have malware that no one can find, although showing up now in virus total as PlugX. Was months ago I uploaded the files.
At the time I couldn't understand how it arrived but with you saying it can be part of a legitimate software that's been compromised I understand now.
It can only if the legitimate source was hacked or you downloaded from a compromised middleman
Could you do a DNS security test