This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

3CX users under DLL-sideloading attack

Trying to run the latest 3CX; however receiving this error: finished - errors - no such table: xdr_data

SELECT

  meta_hostname,

  sophos_pids,

  domain,

  clean_urls,

  source_ips,

  destination_ips,

  timestamps,

  ingestion_timestamp

FROM

  xdr_data

WHERE

  query_name = 'sophos_urls_windows'

  AND

    (LOWER(domain) = 'akamaicontainer.com'

    OR LOWER(domain) = 'akamaitechcloudservices.com'

    OR LOWER(domain) = 'azuredeploystore.com'

    OR LOWER(domain) = 'azureonlinecloud.com'

    OR LOWER(domain) = 'azureonlinestorage.com'

    OR LOWER(domain) = 'dunamistrd.com'

    OR LOWER(domain) = 'glcloudservice.com'

    OR LOWER(domain) = 'journalide.org'

    OR LOWER(domain) = 'msedgepackageinfo.com'

    OR LOWER(domain) = 'msstorageazure.com'

    OR LOWER(domain) = 'msstorageboxes.com'

    OR LOWER(domain) = 'officeaddons.com'

    OR LOWER(domain) = 'officestoragebox.com'

    OR LOWER(domain) = 'pbxcloudeservices.com'

    OR LOWER(domain) = 'pbxphonenetwork.com'

    OR LOWER(domain) = 'pbxsources.com'

    OR LOWER(domain) = 'qwepoi123098.com'

    OR LOWER(domain) = 'sbmsa.wiki'

    OR LOWER(domain) = 'sourceslabs.com'

    OR LOWER(domain) = 'visualstudiofactory.com'

    OR LOWER(domain) = 'zacharryblogs.com'

    OR (LOWER(domain) = 'raw.githubusercontent.com' AND LOWER(clean_urls) LIKE '%/iconstorages/images/main/%'))

This thread was automatically locked due to age.

Top Replies

FrasianX0 over 1 year ago in reply to Z Zman +1

I found out more info on a discord channel. I was having a moment. The query is data lake only. There have been no 3CX IOCs throughout all my scans so I am hoping that it is querying correctly.

Parents

0 Z Zman over 1 year ago

Same here. Just opened a support case but not heard anything back yet.
Cancel
Vote Up 0 Vote Down

Cancel
0 FrasianX0 over 1 year ago in reply to Z Zman

I found out more info on a discord channel. I was having a moment. The query is data lake only. There have been no 3CX IOCs throughout all my scans so I am hoping that it is querying correctly.
Cancel
Vote Up +1 Vote Down

Cancel
0 Z Zman over 1 year ago in reply to FrasianX0

So did you come up with a better query for sophos?
Cancel
Vote Up 0 Vote Down

Cancel
0 Qoosh over 1 year ago in reply to Z Zman

If the query returns the error "no such table: xdr_data" the issue is most likely that "Data Lake" is not being selected, as FrasianX0 suggested. I'll include a screenshot below.

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Z Zman over 1 year ago in reply to Qoosh

Ok that makes sense and that works. BUT we've actually done some nslookups on these domains and a entered a few in the browser to confirm our other tools are actually reporting correct results.

Nothing comes back with this query so we are not sure if it's actually working as it's supposed to. Are there any other queries we can run to check these domains against the datalake OR actual workstations themselves?
Cancel
Vote Up +1 Vote Down

Cancel

Reply

0 Z Zman over 1 year ago in reply to Qoosh

Ok that makes sense and that works. BUT we've actually done some nslookups on these domains and a entered a few in the browser to confirm our other tools are actually reporting correct results.

Nothing comes back with this query so we are not sure if it's actually working as it's supposed to. Are there any other queries we can run to check these domains against the datalake OR actual workstations themselves?
Cancel
Vote Up +1 Vote Down

Cancel

Children

+1 Petero over 1 year ago in reply to Z Zman

I know some of our devices were infected and communicated with the domains but the queries don't return any results.
Cancel
Vote Up +1 Vote Down

Cancel
0 Qoosh over 1 year ago in reply to Petero

Do you recall the timeframe you selected when running the query?

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Petero over 1 year ago in reply to Qoosh

Thanks for replying. I tried 24hrs, 7 days and 30 days. I ran the queries on the 31st March. The infections started to be reported late on the 29th and continued to be reported on the 30th as people signed-in and 3CX started. We had two devices connect to the 2C domains which were reported by Sophos at the time.
Cancel
Vote Up 0 Vote Down

Cancel