Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of February 2016

New Detection Technique - Cisco ASA IKE - CVE-2016-1287

Cisco ASA IKE is a vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software which could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. 

We added IDS signatures and the following correlation rule to detect Cisco ASA IKE activity:

  • Exploitation & Installation, Service Exploit, Cisco ASA IKE - CVE-2016-1287

Microsoft Patch Tuesday

This week's updates include Microsoft's Patch Tuesday content. Microsoft fixed several vulnerabilities in their products, including Internet Explorer and Office. A specially crafted webpage could use these vulnerabilities to trigger arbitrary code execution.

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Rich Text File download with malformed drawing objects (CVE-2016-0022)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Malformed XSLT Payload Inbound (CVE-2016-0033)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS41-009 Office DLL Loading RCE M01 (CVE-2016-0041)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Rich Text File download with vulnerable clsid (CVE-2016-0042)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Office Memory Corruption Vulnerability (CVE-2016-0053)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Internet Explorer Memory Corruption Vulnerability (CVE-2016-0060)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Internet Explorer Memory Corruption Vulnerability (CVE-2016-0063)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Internet Explorer Memory Corruption Vulnerability (CVE-2016-0067)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Internet Explorer Memory Corruption Vulnerability (CVE-2016-0072)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Office Insecure Library Loading (CVE-2016-0042)

New Detection Technique - Qadars

Qadars is a banking trojan being used by an unknown threat actor. Qadars primarily has been seen targeting 6 countries, the Netherlands, France, Canada, India, Australia and Italy. Qadars uses a Man-in-the-Browser (MitB) scheme to perform financial fraud.

We added IDS signatures and the following correlation rule to detect Qadars activity:

  • System Compromise, C&C Communication, Qadars SSL activity

New Detection Technique - Ransomware

Last week we added the following correlation rules and IDS signatures to detect new ransomware families:

  • System Compromise, Ransomware infection, JobCrypter
  • System Compromise, Ransomware infection, Pottieq

In addition to that we updated some rules and added new IDS signatures to improve the detection of previously known ransomware families:

  • System Compromise, Ransomware infection, Alphacrypt
  • System Compromise, Ransomware infection, Teslacrypt
  • System Compromise, Ransomware infection, HydraCrypt
  • System Compromise, Ransomware infection, JobCrypter
  • System Compromise, Ransomware infection, Pottieq

New Detection Technique - Remote Access Tools

Last week we added the following correlation rules and IDS signatures to detect new remote access tool families:

  • System Compromise, Malware RAT, TorCT RAT

In addition to that we updated some rules and added new IDS signatures to improve the detection of previously known remote access tool families:

  • System Compromise, Malware RAT, Poison Ivy
  • System Compromise, Malware RAT, PCRat
  • System Compromise, Malware RAT, PlugX
  • System Compromise, Malware RAT, TorCT RAT

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Loxes
  • System Compromise, Trojan infection, Gaudox
  • System Compromise, Trojan infection, Agent NZU
  • System Compromise, Trojan infection, Dipsind
  • System Compromise, Trojan infection, VertexNet
  • System Compromise, Backdoor, Mizzmo
  • System Compromise, Trojan infection, Chute
  • System Compromise, Trojan infection, Chinoxy
  • System Compromise, Trojan infection, Mostar

Updated Detection Technique - Malware SSL Certificates

We have added new Intrusion Detection System signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We added IDS signatures and updated correlation rules to enhance exploit kit detection:

  • Exploitation & Installation, Malicious website - Exploit Kit, Angler EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain.

We have updated a correlation rule that groups together different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Zlob
  • System Compromise, Malware infection, Generic
  • System Compromise, Trojan infection, LockScreen
  • System Compromise, Trojan infection, Bitcoin Miner
  • Exploitation & Installation, Trojan infection, Sharik
  • System Compromise, Malware infection, Dridex
  • System Compromise, C&C Communication, PlugX DNS channel
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Trojan infection, Nymaim
  • System Compromise, Trojan infection, Ursniff
  • System Compromise, Trojan infection, Generic Stealer
  • Reconnaissance & Probing, WebServer Attack, File guessing
  • Delivery & Attack, Malicious website, Phishing activity