3cx compromised
9630

It has been a tough week for MSPs who supply 3CX as part of their package offerings. And a lesson learnt to those who’s EDR tools flagged the compromise, and they decided to whitelist it as a false positive.

For those that don’t know, the issue started when a few MSPs posted on various forums that the latest 3CX app had been flagged as containing a threat actor. More of that can be read on the Huntress post: https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats

At our MSP, we immediately took appropriate action, blocking the reported malware websites via Cisco Umbrella. And to be fair to the Umbrella team, they put the block in place pretty quickly too. But we had a number of clients on the version affected, and we needed to get rid of is fast.

Well, here is a script to help you achieve such greatness.

DISCLAIMER! Running this code, you do so at YOUR OWN RISK. I have included a line that you can include to aim this at 1 tenant, or a tenant at a time, if you wish to do so.

This script will:

1. Use the GUID of each affected 3CX application.
2. Loop through each GUID and use msiexec to remove the application if present.
3. A reboot may be required to allow your RMM to then show it is no longer installed.

Who Are We?

Growth MSP is an MSP for MSPs. We are manage migration projects from start to finish, at a price that means we can all make money. We aim to take the stress away, whilst allowing you to not put off sales due to lack of capacity.

The Code

Note here that your RMM most likely run scripts as SYSTEM

Set-ExecutionPolicy Unrestricted -force

$guids = @(
    "{BF60C539-8A02-409E-B67C-3256DC61A8AB}",
    "{A89CE738-DAE1-4010-ADEC-AD38F1888199}",
    "{110A3CCE-3D00-4E4A-8E61-EE5A4DFDA908}",
    "{3D3B244E-7FB5-4747-BF11-64F34C128A8B}",
    "{D5F28C48-46B5-42C7-BC6F-2E3E14D4088C}",
    "{4BE10024-1B00-4837-99C2-CA630F1C3C75}",
    "{C5F3A982-1C13-4E12-8519-83C9A1CA3FCD}",

)

foreach ($guid in $guids) {
    $uninstallArgs = "/x $guid /qn /norestart"
    Start-Process msiexec.exe -ArgumentList $uninstallArgs -Wait
}

What Happens When You Run This Code?

Running this script will remove all 3CX applications from the device, pending reboot.

Want More Expert Tips Like This?

We’ve got dozens of tips and tricks like this to make your life as an MSP a little easier. We also offer expert mentorship, advice, and support for every aspect of an MSP’s business, including sales, marketing, support, and engineering. If you need help growing your MSP, please contact us today.

Share

Post comment

Your email address will not be published. Required fields are marked *

Go top