{"id":6081,"date":"2023-03-31T13:17:36","date_gmt":"2023-03-31T11:17:36","guid":{"rendered":"https:\/\/partnernews.sophos.com\/en-us\/?p=6081"},"modified":"2023-03-31T13:17:36","modified_gmt":"2023-03-31T11:17:36","slug":"3cx-desktop-attack-sophos-partner-and-customer-information","status":"publish","type":"post","link":"https:\/\/partnernews.sophos.com\/en-us\/2023\/03\/resources\/3cx-desktop-attack-sophos-partner-and-customer-information\/","title":{"rendered":"3CX Desktop Attack: Sophos Partner and Customer Information"},"content":{"rendered":"<p>Sophos X-Ops\u00a0<a href=\"https:\/\/news.sophos.com\/en-us\/2023\/03\/29\/3cx-dll-sideloading-attack\/\" target=\"_blank\" rel=\"noopener\">is tracking<\/a>\u00a0an attack against the 3CX Desktop application, possibly undertaken by a nation-state-related group.<\/p>\n<p>The affected software is 3CX \u2013 a legitimate software-based PBX phone system available on Windows, Linux, Android, and iOS. The application has been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers.<\/p>\n<p>A list of IOCs for this attack is published on our\u00a0<a href=\"https:\/\/github.com\/sophoslabs\/IoCs\" target=\"_blank\" rel=\"noopener\">GitHub<\/a>.<\/p>\n<h2>Sophos protection<\/h2>\n<p>Sophos has taken the following actions to protect customers from this attack:<\/p>\n<ul>\n<li>Blocked the malicious domains<\/li>\n<li>Published the following detections:Static detections:\n<ul>\n<li>Troj\/Loader-AF (Trojanized ffmpeg.dll)<\/li>\n<li>Troj\/Mdrop-JTQ (installers)<\/li>\n<li>OSX\/Mdrop-JTR (installers)<\/li>\n<li>OSX\/Loader-AG (Trojanized ffmpeg.dll)<\/li>\n<\/ul>\n<p>Reputation detection:<\/p>\n<ul>\n<li>Mal\/Generic-R \/ Mal\/Generic-S (d3dcompiler with appended shellcode)<\/li>\n<\/ul>\n<p>Memory detection:<\/p>\n<ul>\n<li>Mem\/Loader-AH<\/li>\n<\/ul>\n<\/li>\n<li>Blocked the list of known C2 domains associated with the threat, and will continue to add to that list<\/li>\n<li>Flagged the two malicious versions of the ffmpeg.dll bundled in the affected 3CXapplication as being of low reputation<\/li>\n<li>For Sophos MDR customers, the MDR Detection Engineering team has a variety of behavioral detections in place that will detect follow up activity<\/li>\n<\/ul>\n<h2>Determining impact with Sophos XDR<\/h2>\n<p><a href=\"https:\/\/www.sophos.com\/en-us\/products\/endpoint-antivirus\/xdr\" target=\"_blank\" rel=\"noopener\">Sophos XDR<\/a>\u00a0enables organizations to determine whether hosts have communicated with threat actor infrastructure. We have created a custom query that is available\u00a0<a href=\"https:\/\/news.sophos.com\/en-us\/2023\/03\/29\/3cx-dll-sideloading-attack\/\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<h2>More information<\/h2>\n<p>For further insights into the attack, read the article from Sophos X-Ops\u00a0<a href=\"https:\/\/news.sophos.com\/en-us\/2023\/03\/29\/3cx-dll-sideloading-attack\/\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>We also recommend that users of 3CX\u2019s software monitor the company\u2019s\u00a0<a href=\"https:\/\/www.3cx.com\/blog\/\" target=\"_blank\" rel=\"noopener\">blog<\/a>\u00a0and\u00a0<a href=\"https:\/\/www.3cx.com\/community\/forums\/webrtc-webclient\/\" target=\"_blank\" rel=\"noopener\">support forum<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sophos X-Ops\u00a0is tracking\u00a0an attack against the 3CX Desktop application, possibly undertaken by a nation-state-related group. The affected software is 3CX \u2013 a legitimate software-based PBX phone system available on Windows, Linux, Android, and iOS. The application has been abused by [&hellip;]<\/p>\n","protected":false},"author":11,"featured_media":6082,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3],"tags":[222,142,253,147,21],"coauthors":[64],"class_list":["post-6081","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-resources","tag-managed-detection-and-response-mdr","tag-sophos-endpoint","tag-sophos-x-ops","tag-sophos-xdr","tag-threats-malware"],"jetpack_featured_media_url":"https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2023\/03\/featured-image-3cx-desktop-attack.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/posts\/6081","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/comments?post=6081"}],"version-history":[{"count":1,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/posts\/6081\/revisions"}],"predecessor-version":[{"id":6083,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/posts\/6081\/revisions\/6083"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/media\/6082"}],"wp:attachment":[{"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/media?parent=6081"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/categories?post=6081"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/tags?post=6081"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/coauthors?post=6081"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}