Sophos X-Ops is tracking an attack against the 3CX Desktop application, possibly undertaken by a nation-state-related group.
The affected software is 3CX – a legitimate software-based PBX phone system available on Windows, Linux, Android, and iOS. The application has been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers.
A list of IOCs for this attack is published on our GitHub.
Sophos has taken the following actions to protect customers from this attack:
Blocked the malicious domains
Published the endpoint detection: Troj/Loader-AF
Blocked the list of known C2 domains associated with the threat, and will continue to add to that list
For Sophos MDR customers, the MDR Detection Engineering team has a variety of behavioral detections in place that will detect follow up activity
Determining impact with Sophos XDR
For further insights into the attack, read the article from Sophos X-Ops here.