Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 11 subscribers
  • Views 1150 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

3CX users under DLL-sideloading attack

FrasianX0

Trying to run the latest 3CX; however receiving this error: finished - errors - no such table: xdr_data

SELECT

  meta_hostname,

  sophos_pids,

  domain,

  clean_urls,

  source_ips,

  destination_ips,

  timestamps,

  ingestion_timestamp

FROM

  xdr_data

WHERE

  query_name = 'sophos_urls_windows'

  AND

    (LOWER(domain) = 'akamaicontainer.com'

    OR LOWER(domain) = 'akamaitechcloudservices.com'

    OR LOWER(domain) = 'azuredeploystore.com'

    OR LOWER(domain) = 'azureonlinecloud.com'

    OR LOWER(domain) = 'azureonlinestorage.com'

    OR LOWER(domain) = 'dunamistrd.com'

    OR LOWER(domain) = 'glcloudservice.com'

    OR LOWER(domain) = 'journalide.org'

    OR LOWER(domain) = 'msedgepackageinfo.com'

    OR LOWER(domain) = 'msstorageazure.com'

    OR LOWER(domain) = 'msstorageboxes.com'

    OR LOWER(domain) = 'officeaddons.com'

    OR LOWER(domain) = 'officestoragebox.com'

    OR LOWER(domain) = 'pbxcloudeservices.com'

    OR LOWER(domain) = 'pbxphonenetwork.com'

    OR LOWER(domain) = 'pbxsources.com'

    OR LOWER(domain) = 'qwepoi123098.com'

    OR LOWER(domain) = 'sbmsa.wiki'

    OR LOWER(domain) = 'sourceslabs.com'

    OR LOWER(domain) = 'visualstudiofactory.com'

    OR LOWER(domain) = 'zacharryblogs.com'

    OR (LOWER(domain) = 'raw.githubusercontent.com' AND LOWER(clean_urls) LIKE '%/iconstorages/images/main/%'))




This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Qoosh

    Ok that makes sense and that works.  BUT we've actually done some nslookups on these domains and a entered a few in the browser to confirm our other tools are actually reporting correct results.

    Nothing comes back with this query so we are not sure if it's actually working as it's supposed to.  Are there any other queries we can run to check these domains against the datalake OR actual workstations themselves?

  • +1 in reply to Z Zman

    I know some of our devices were infected and communicated with the domains but the queries don't return any results.

  • 0 in reply to Petero

    Do you recall the timeframe you selected when running the query? 

  • 0 in reply to Qoosh

    Thanks for replying. I tried 24hrs, 7 days and 30 days. I ran the queries on the 31st March. The infections started to be reported late on the 29th and continued to be reported on the 30th as people signed-in and 3CX started. We had two devices connect to the 2C domains which were reported by Sophos at the time.

Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?