Earlier today CrowdStrike reported a supply chain attack targeting the 3CX Voice Over Internet Protocol (VOIP) Windows desktop client.
- 600,000 companies use it
- 12,000,000 users
- Sophos has identified a MacOS variant infected
- Currently attributed to Lazarus Group
- 600,000 companies use it
- 12,000,000 users
- Sophos has identified a MacOS variant infected
- Currently attributed to Lazarus Group
π€―16β€4π4π€3π«‘3π₯°1
Prior to CrowdStrike's report - customers went to the 3CX forums expressing concerns that EDRs were reporting suspicious activity. EDRs from CrowdStrike, ESET, PaloAltoNtwks, and SentinelOne flagged the binary. 3CX said they were wrong.
Images via malwrhunterteam
Images via malwrhunterteam
π€£20π€5π2π€ͺ2β€1
SentinelOne has released an in-depth analysis of the malware and payload, they have dubbed it 'SmoothOperator'. The final payload exfiltrates data from web browsers Chrome, Edge, Brave, and Firefox.
tl;dr largest data theft in history?
https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
tl;dr largest data theft in history?
https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
SentinelOne
3CX SmoothOperator | 3CXDesktopApp in Supply Chain Attack
Explore the intricacies of 3CX Smooth Operator. Learn about the multi-stage attack chain and infostealer malware delivery at scale.
π€―20π€ͺ3
We have malware samples from the recent 3CX VOIP supply chain attack.
- SmoothOperator.7z
- 48.1MB compressed
- Samples from CrowdStrike and SentinelOne reports
You can download the malware samples here: https://share.vx-underground.org/
- SmoothOperator.7z
- 48.1MB compressed
- Samples from CrowdStrike and SentinelOne reports
You can download the malware samples here: https://share.vx-underground.org/
π₯27π₯°4π2
MacOS malware expert patrickwardle has been covering the MacOS variant of the 3CX VOIP supply chain attack.
Additionally, we have managed to get our hands on the MacOS variant.
Download: https://share.vx-underground.org
Analysis: https://twitter.com/patrickwardle/status/1641294247877021696
Additionally, we have managed to get our hands on the MacOS variant.
Download: https://share.vx-underground.org
Analysis: https://twitter.com/patrickwardle/status/1641294247877021696
Twitter
RE: The 3CX VOIP supply chain attack, vendors have stated that macOS was also targeted - but I couldn't find any specific technical details (yet) ππβ οΈ
One vendor stated, "we cannot confirm that the Mac installer is similarly trojanized"
...let's dive in!β¦
One vendor stated, "we cannot confirm that the Mac installer is similarly trojanized"
...let's dive in!β¦
π€―10β€4π2π―1
Very cool, thanks for supporting vx-underground, LeBron James
π€£45π€ͺ19π₯10π4π€3β€2π€―1π1
Hello,
If you're a person who possesses the recently leaked Vulkan files, and would be kind enough to share them with us, we would appreciate it. We would like to read them.
Thank you.
https://www.theguardian.com/technology/2023/mar/30/vulkan-files-leak-reveals-putins-global-and-domestic-cyberwarfare-tactics
If you're a person who possesses the recently leaked Vulkan files, and would be kind enough to share them with us, we would appreciate it. We would like to read them.
Thank you.
https://www.theguardian.com/technology/2023/mar/30/vulkan-files-leak-reveals-putins-global-and-domestic-cyberwarfare-tactics
the Guardian
βVulkan filesβ leak reveals Putinβs global and domestic cyberwarfare tactics
Vulkan engineers have worked for Russian military and intelligence agencies to support hacking operations, prepare for attacks on infrastructure and spread disinformation
π43π€£20π«‘8π5π―5β€2π₯2π€©1
The 3CX CEO stated that the supply chain attack that occured wasn't their fault, rather it was the result of an upstream vendor being compromised, suggesting FFmpeg, because this is where the malware payload resides
FFmpeg denies this because they don't release compiled binaries
FFmpeg denies this because they don't release compiled binaries
π49π€―9π€£7π€1
During the SolarWinds supply chain attack, the CEO blamed the intern. Now, a CEO must blame the free and open source library.
π€ͺ27π―19π13
This media is not supported in your browser
VIEW IN TELEGRAM
π₯60π₯°8π8π―6π€©5π2β€βπ₯1
π¨ !!!!BREAKING!1!! π¨
vx-underground, the infamous hacker forum and ransomware aktivist collective, has had their domain seized by EUROPOL
!!!!ALL PASSWORDS HAVE BEEN CHANGED!!!!
vx-underground, the infamous hacker forum and ransomware aktivist collective, has had their domain seized by EUROPOL
!!!!ALL PASSWORDS HAVE BEEN CHANGED!!!!
π€£165π«‘17π€―16π9π€ͺ8π±6π’6π6π€2π―2π₯°1
If you or a person you know has been a victim of vx-underground, please contact Joe Biden
π74π«‘58π€£33π5π€―5π±4π4π€ͺ3
Haha April Fool's.
We gotcha so good, you frickin nerds π
We gotcha so good, you frickin nerds π
π€―67π€ͺ19π9π«‘8π₯°6π±5π3π3π’2π1π―1
Our website has been restored. The prank is over.
Please download malware.
https://www.vx-underground.org/
Please download malware.
https://www.vx-underground.org/
π₯°39π€ͺ14π€£9π«‘7π€2β€1π±1