Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

3CX users under DLL-sideloading attack

FrasianX0

Trying to run the latest 3CX; however receiving this error: finished - errors - no such table: xdr_data

SELECT

  meta_hostname,

  sophos_pids,

  domain,

  clean_urls,

  source_ips,

  destination_ips,

  timestamps,

  ingestion_timestamp

FROM

  xdr_data

WHERE

  query_name = 'sophos_urls_windows'

  AND

    (LOWER(domain) = 'akamaicontainer.com'

    OR LOWER(domain) = 'akamaitechcloudservices.com'

    OR LOWER(domain) = 'azuredeploystore.com'

    OR LOWER(domain) = 'azureonlinecloud.com'

    OR LOWER(domain) = 'azureonlinestorage.com'

    OR LOWER(domain) = 'dunamistrd.com'

    OR LOWER(domain) = 'glcloudservice.com'

    OR LOWER(domain) = 'journalide.org'

    OR LOWER(domain) = 'msedgepackageinfo.com'

    OR LOWER(domain) = 'msstorageazure.com'

    OR LOWER(domain) = 'msstorageboxes.com'

    OR LOWER(domain) = 'officeaddons.com'

    OR LOWER(domain) = 'officestoragebox.com'

    OR LOWER(domain) = 'pbxcloudeservices.com'

    OR LOWER(domain) = 'pbxphonenetwork.com'

    OR LOWER(domain) = 'pbxsources.com'

    OR LOWER(domain) = 'qwepoi123098.com'

    OR LOWER(domain) = 'sbmsa.wiki'

    OR LOWER(domain) = 'sourceslabs.com'

    OR LOWER(domain) = 'visualstudiofactory.com'

    OR LOWER(domain) = 'zacharryblogs.com'

    OR (LOWER(domain) = 'raw.githubusercontent.com' AND LOWER(clean_urls) LIKE '%/iconstorages/images/main/%'))




This thread was automatically locked due to age.
  • 0

    Same here.  Just opened a support case but not heard anything back yet.

  • 0 in reply to Z Zman

    I found out more info on a discord channel. I was having a moment. The query is data lake only. There have been no 3CX IOCs throughout all my scans so I am hoping that it is querying correctly.

  • 0 in reply to FrasianX0

    So did you come up with a better query for sophos?

  • 0 in reply to Z Zman

    If the query returns the error "no such table: xdr_data" the issue is most likely that "Data Lake" is not being selected, as FrasianX0 suggested. I'll include a screenshot below.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Qoosh

    Ok that makes sense and that works.  BUT we've actually done some nslookups on these domains and a entered a few in the browser to confirm our other tools are actually reporting correct results.

    Nothing comes back with this query so we are not sure if it's actually working as it's supposed to.  Are there any other queries we can run to check these domains against the datalake OR actual workstations themselves?

  • +1 in reply to Z Zman

    I know some of our devices were infected and communicated with the domains but the queries don't return any results.

  • 0 in reply to Petero

    Do you recall the timeframe you selected when running the query? 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Qoosh

    Thanks for replying. I tried 24hrs, 7 days and 30 days. I ran the queries on the 31st March. The infections started to be reported late on the 29th and continued to be reported on the 30th as people signed-in and 3CX started. We had two devices connect to the 2C domains which were reported by Sophos at the time.