Hello and welcome to the Friday, March 31st, 2003 edition of the Sandcent Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, today I'll deviate a little bit from my normal format. I'll not start with today's diary post. Instead, I want to give an update on the 3CX

situation. I mentioned this briefly yesterday, 3CX, a company that distributes voice and video

over IP software. The desktop line that are distributing for Mac and Windows was a compromise,

which meant that beginning this week, if you download a desktop client, you also installed

a back door. With this application being used literally by millions of users, this is a significant

supply chain incident.

And while this is still a somewhat developing situation,

we do have a couple more details by now.

When you're running the malicious application,

it will first reach out to a specific GitHub repository,

download some icon files, and then extract some

base 64 data from those icon files that will give it additional instructions, in particular,

how to download a particular DLL for the Windows version that then implements an InfoSteeler. The InfoSteeler uploads data about the system,

version of software, browser versions, and also the browser history to a collection point,

to a command control server that then the attacker, of course, may have access to.

Now, this entire infrastructure has been dismantled by now, so if you are running it right

now, the software shouldn't cause any damage, but of course, we don't know everything yet

about it, so would still be extremely careful with this.

The root of all of this was the Lib FFMPEC library that was included with this desktop client.

Lip FFMPEC is a standard open source library.

It implements various sort of video audio encoding routines.

...