This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

3CX users under DLL-sideloading attack

Trying to run the latest 3CX; however receiving this error: finished - errors - no such table: xdr_data

SELECT

  meta_hostname,

  sophos_pids,

  domain,

  clean_urls,

  source_ips,

  destination_ips,

  timestamps,

  ingestion_timestamp

FROM

  xdr_data

WHERE

  query_name = 'sophos_urls_windows'

  AND

    (LOWER(domain) = 'akamaicontainer.com'

    OR LOWER(domain) = 'akamaitechcloudservices.com'

    OR LOWER(domain) = 'azuredeploystore.com'

    OR LOWER(domain) = 'azureonlinecloud.com'
OR LOWER(domain) = 'azureonlinestorage.com' OR LOWER(domain) = 'dunamistrd.com' OR LOWER(domain) = 'glcloudservice.com' OR LOWER(domain) = 'journalide.org' OR LOWER(domain) = 'msedgepackageinfo.com' OR LOWER(domain) = 'msstorageazure.com' OR LOWER(domain) = 'msstorageboxes.com' OR LOWER(domain) = 'officeaddons.com' OR LOWER(domain) = 'officestoragebox.com' OR LOWER(domain) = 'pbxcloudeservices.com' OR LOWER(domain) = 'pbxphonenetwork.com' OR LOWER(domain) = 'pbxsources.com' OR LOWER(domain) = 'qwepoi123098.com' OR LOWER(domain) = 'sbmsa.wiki' OR LOWER(domain) = 'sourceslabs.com' OR LOWER(domain) = 'visualstudiofactory.com' OR LOWER(domain) = 'zacharryblogs.com' OR (LOWER(domain) = 'raw.githubusercontent.com' AND LOWER(clean_urls) LIKE '%/iconstorages/images/main/%'))




This thread was automatically locked due to age.
Parents Reply Children
  • Thanks for replying. I tried 24hrs, 7 days and 30 days. I ran the queries on the 31st March. The infections started to be reported late on the 29th and continued to be reported on the 30th as people signed-in and 3CX started. We had two devices connect to the 2C domains which were reported by Sophos at the time.