Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of August 2016

New Detection Technique - Shade

Shade is a ransomware family who's latest version delays encrypting a victim's files while it searches for accounting related documents. If found, the malware then installs remote access software so the malicious actors can inspect the accounting documentation to determine how much the victim can afford before encrypting the files and demanding a customized ransom.

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, Ransomware infection, Shade

New Detection Technique - Monsoon Tinytyphon

MONSOON is the name given to an ongoing espionage campaign that the Forcepoint Security Labs' Special Investigations team has been tracking since May 2016. The overarching campaign appears to target both Chinese nationals within different industries and government agencies in Southern Asia. It appears to have started in December 2015 and is still ongoing as of July 2016. Amongst the evidence gathered during the MONSOON investigation were a number of indicators which make it highly probable that this adversary and the OPERATION HANGOVER adversary are the same. These indicators include the use of the same infrastructure for the attacks, the use of similar Tactics, Techniques and Procedures (TTPs), the targeting of demographically similar victims, and operating geographically within the Indian Subcontinent.

We've added IDS signatures and created correlation rules to detect Monsoon Tinytyphon activity.

  • System Compromise, Targeted Malware, Monsoon Tinytyphon

New Detection Technique - Linux/Lady

Linux/Lady is a Linux trojan written in Google's Go programming language. When the trojan infects a system, it collects data related to the system including the Linux operating system version, and the number of CPUs and processes. Once that is done, the malware sends it back to the Command & Control (C&C) server, which then responds with a configuration file for downloading a cryptocurrency mining application.

We've added IDS signatures and created the following correlation rule to detect Linux/Lady activity.

  • System Compromise, Trojan infection, Linux/Lady

New Detection Technique - JexBoss

JexBoss is a tool for testing and exploiting vulnerabilities in the JBoss Application Server.

We've added IDS signatures and updated the following correlation rule to detect JexBoss activity.

  • Exploitation & Installation, Hacking tool, JexBoss

New Detection Technique - Malware

We've added the following correlation rules due to recent malicious activity:

  • System Compromise, Trojan infection, Radonskra
  • Exploitation & Installation, Suspicious Behaviour, Suspicious BusyBox
  • Delivery & Attack, WebServer Attack - CMS, Drupal 
  • Delivery & Attack, Denial of Service - Known vulnerability, Windows DNS Server Amplication Attack
  • System Compromise, C&C Communication, APT.Enfal SSL activity
  • System Compromise, Trojan infection, Getapula Stealer
  • System Compromise, C&C Communication, APT28 XAgent SSL activity
  • System Compromise, Backdoor, OwaAuth/Soybalek

Microsoft Patch Tuesday

This week's updates include Microsoft's Patch Tuesday content. Microsoft fixed vulnerabilities in their Edge and Internet Explorer products.

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Possible Memory Corruption Vulnerability (CVE-2016-3288)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Possible Memory Corruption Vulnerability (CVE-2016-3289)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Possible Memory Corruption Vulnerability (CVE-2016-3290)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Browser RCE (CVE-2016-3293)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Windows Possible Out Of Bound Memory Access Executable Inbound (CVE-2016-3310)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Possible Information Disclosure Vulnerability (CVE-2016-3321)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Use After Free (CVE-2016-3322)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Information Disclosure Vulnerability M1 (CVE-2016-3327)

Updated Detection Technique - Centreon 2.5.3 Web Useralias RCE

Centreon is a popular open source monitoring solution. The Centreon web interface, <= 2.5.3, uses an insecure function to log SQL errors. This functionality can be abused for remote code execution via the login screen prior to user authentication. 

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Centreon 2.5.3 Web Useralias RCE

Updated Detection Technique - PandaBanker

PandaBanker is a banking Trojan with roots tied to Zeus. It is distributed via email attachment and several exploit kits. It also has the functionality for various automated actions for numerous Australian and UK banks. 

We've added IDS signatures and updated correlation rules to detect PandaBanker activity:

  • System Compromise, C&C Communication, Panda Banker SSL activity

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Poison Ivy

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures which include certificates identified by Abuse.ch associated with botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families, including:

  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Zeus SSL Certificate

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network.

We've updated the correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain.

We've updated a correlation rule that groups together different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Detection Technique - Ransomware

Last week we added IDS signatures and updated correlation rules to detect several ransomware families:

  • System Compromise, Ransomware infection, Locky
  • System Compromise, Ransomware infection, SDLocker

Updated Correlation Rules

We've updated the following correlation rules due to recent malicious activity:

  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • Delivery & Attack, Denial of Service - Known vulnerability, Windows DNS Server Amplication Attack
  • System Compromise, Trojan infection, Bancos
  • System Compromise, Malware infection, Generic
  • System Compromise, Trojan infection, Pony
  • System Compromise, Worm infection, Ramnit
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Trojan infection, Generic Python malware
  • System Compromise, Trojan infection, Ursniff
  • System Compromise, Trojan infection, Generic Stealer
  • System Compromise, Trojan infection, iSpy KeyLogger
  • System Compromise, C&C Communication, Ursnif SSL activity
  • System Compromise, Backdoor, OwaAuth/Soybalek
  • Delivery & Attack, WebServer Attack - CMS, Wordpress
  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document