Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of February

New Detection Technique - CUPS Reference Count Over-Decrement RCE

There is a vulnerability in the 'add_job' function in the open source printing suite CUPS (versions 2.0.3 and lower). This vulnerability is due to incorrectly handled free operations in regards to the multiple-value 'job-originating-host-name' attributes, whereby the reference count on the language string is over-decremented. This allows remote attackers to cause data corruption for the reference-counted strings using a specially crafted print job request, which will result in remote code execution.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Vulnerable software, CUPS Reference Count Over-Decrement RCE

New Detection Technique – MacDownloader

Researchers Claudio Guarnieri and Collin Anderson recently discovered a new family of Mac malware which they call MacDownloader. MacDownloader seems to be the work of the Iranian hacking group IKittens, who are using the malware to target US defense contractors, including Lockheed Martin, Sierra Nevada Corporation, Raytheon, and Boeing. MacDownloader attempts to pose as both an installer for Adobe Flash, as well as the Bitdefender Adware Removal Tool, in order to extract system information and copies of OS X keychain databases.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, MacDownloader

New Detection Technique – Ransomware

In the past week, we've seen increasing ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, Cancer
  • System Compromise, Ransomware infection, Digisom
  • System Compromise, Ransomware infection, Serpent

We also added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Satan
  • System Compromise, Ransomware infection, Serpent
  • System Compromise, Ransomware infection, Spora
  • System Compromise, Ransomware infection, Torrentlocker

New Detection Techniques

We've added the following correlation rules as a result of recent malicious and exploit activity:

  • Delivery & Attack, Malicious website - Exploit Kit, Terror EK
  • Environmental Awareness, Covert channel, Tor Browser Bundle Download
  • Environmental Awareness, Suspicious Behaviour, Suspicious Connection to Terrorist Propaganda TV Channel
  • Exploitation & Installation, Weak Configuration - Vulnerable Authentication, Netgear Password Disclosure
  • System Compromise, Trojan infection, Agent.RSY
  • System Compromise, Trojan infection, BlueHeaven
  • System Compromise, Trojan infection, Fadok
  • System Compromise, Trojan infection, Laqma

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, EITest EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  As described in a blog post, "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Trojan infection, APT28 activity

Updated Detection Technique - Windows SMB Excessive Tree Connect Response - DoS Attempt (CVE-2017-0016)

The US Computer Emergency Readiness Team (US-CERT) released an advisory about a memory corruption bug in the Windows operating system.  The vulnerability was found in the handling of Server Message Block (SMB) traffic affecting Windows 10, 8.1, Server 2012, and Server 2016 which allows a remote, unauthenticated attacker to cause a denial of service on a vulnerable system. Windows fails to properly handle specially-crafted SMB server responses following the structure defined in the SMB2 TREE_CONNECT request packet structure. By connecting to a malicious SMB server, a vulnerable Windows client system may crash.

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • Delivery & Attack, Denial of Service - Known vulnerability, Windows SMB Excessive Tree Connect Response - DoS Attempt (CVE-2017-0016)

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Dridex SSL Certificate
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Odinaff SSL activity
  • System Compromise, C&C Communication, TorrentLocker SSL

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, KilerRAT
  • System Compromise, Malware RAT, NanoCore

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Bruteforce Authentication, SMTP
  • Delivery & Attack, Malicious website, Phishing activity
  • Environmental Awareness, Default Credentials, Successful Logon to Default Account
  • Environmental Awareness, Suspicious Behaviour, Failed Logon because of invalid logon hours
  • Environmental Awareness, Suspicious Behaviour, Failed Logon to Default Account
  • Environmental Awareness, Suspicious Behaviour, Failed Logon to Disabled Account
  • Environmental Awareness, Suspicious Behaviour, Failed Logon to Expired Account
  • Environmental Awareness, Suspicious Behaviour, Failed Logon to Nonexistent Account
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Malware infection, Necurs
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Targeted Malware, KopiLuwak
  • System Compromise, Targeted Malware, RocketKitten
  • System Compromise, Targeted Malware, Turla
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, Bunitu
  • System Compromise, Trojan infection, Generic Keylogger
  • System Compromise, Trojan infection, Nemucod
  • System Compromise, Trojan infection, SpyAgent
  • System Compromise, Trojan infection, SpyBanker
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, ZeroAccess