{"id":21600,"date":"2023-03-30T03:20:54","date_gmt":"2023-03-30T11:20:54","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/03\/30\/news-15331\/"},"modified":"2023-03-30T03:20:54","modified_gmt":"2023-03-30T11:20:54","slug":"news-15331","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/03\/30\/news-15331\/","title":{"rendered":"3CX Desktop Attack: Sophos Customer Information"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/MicrosoftTeams-image-3.png\"\/><\/p>\n<p><strong>Credit to Author: Editor| Date: Thu, 30 Mar 2023 08:44:21 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<h2>Overview<\/h2>\n<p>Sophos X-Ops <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/03\/29\/3cx-dll-sideloading-attack\/\">is tracking<\/a> an attack against the 3CX Desktop application, possibly undertaken by a nation-state-related group.<\/p>\n<p>The affected software is 3CX \u2013 a legitimate software-based PBX phone system available on Windows, Linux, Android, and iOS. The application has been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers.<\/p>\n<p>A list of IOCs for this attack is published on our <a href=\"https:\/\/github.com\/sophoslabs\/IoCs\">GitHub<\/a>.<\/p>\n<h2>Sophos protection<\/h2>\n<p>Sophos has taken the following actions to protect customers from this attack:<\/p>\n<ul>\n<li>Blocked the malicious domains<\/li>\n<li>Published the endpoint detection: Troj\/Loader-AF<\/li>\n<li>Blocked the list of known C2 domains associated with the threat, and will continue to add to that list<\/li>\n<li>For Sophos MDR customers, the MDR Detection Engineering team has a variety of behavioral detections in place that will detect follow up activity<\/li>\n<\/ul>\n<h2>Determining impact with Sophos XDR<\/h2>\n<p><a href=\"https:\/\/www.sophos.com\/en-us\/products\/endpoint-antivirus\/xdr\">Sophos XDR<\/a> enables organizations to determine whether hosts have communicated with threat actor infrastructure. We have created a custom query that is available <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/03\/29\/3cx-dll-sideloading-attack\/\">here<\/a>.<\/p>\n<h2>More information<\/h2>\n<p>For further insights into the attack, read the article from Sophos X-Ops <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/03\/29\/3cx-dll-sideloading-attack\/\">here<\/a>.<\/p>\n<p>We also recommend that users of 3CX\u2019s software monitor the company\u2019s <a href=\"https:\/\/www.3cx.com\/blog\/\">blog<\/a> and <a href=\"https:\/\/www.3cx.com\/community\/forums\/webrtc-webclient\/\">support forum<\/a>.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2023\/03\/30\/3cx-desktop-attack-sophos-customer-information\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/MicrosoftTeams-image-3.png\"\/><\/p>\n<p><strong>Credit to Author: Editor| Date: Thu, 30 Mar 2023 08:44:21 +0000<\/strong><\/p>\n<p>Overview Sophos X-Ops is tracking an attack against the 3CX Desktop application, possibly undertaken by a nation-state-related group. The affected software is 3CX \u2013 a legitimate software-based PBX phone system available on Windows, Linux, Android, and iOS. The application has been abused by the threat actor to add an installer that communicates with various command-and-control [&#8230;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[28963,24562,19056,27604,27030,24815],"class_list":["post-21600","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-3cx","tag-products-services","tag-sophos-endpoint","tag-sophos-mdr","tag-sophos-x-ops","tag-sophos-xdr"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21600","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21600"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21600\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21600"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21600"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21600"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}