3CX Desktop Attack: Sophos Customer Information

Overview

Sophos X-Ops is tracking an attack against the 3CX Desktop application, possibly undertaken by a nation-state-related group.

The affected software is 3CX – a legitimate software-based PBX phone system available on Windows, Linux, Android, and iOS. The application has been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers.

A list of IOCs for this attack is published on our GitHub.

Sophos protection

Sophos has taken the following actions to protect customers from this attack:

• Blocked the malicious domains
• Published the endpoint detection: Troj/Loader-AF
• Blocked the list of known C2 domains associated with the threat, and will continue to add to that list
• For Sophos MDR customers, the MDR Detection Engineering team has a variety of behavioral detections in place that will detect follow up activity

Determining impact with Sophos XDR

Sophos XDR enables organizations to determine whether hosts have communicated with threat actor infrastructure. We have created a custom query that is available here.

More information

For further insights into the attack, read the article from Sophos X-Ops here.

We also recommend that users of 3CX’s software monitor the company’s blog and support forum.