Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of March 2016

New Detection Technique - Apache Jetspeed RCE (CVE-2016-0710)

A vulnerability exists in Apache Jetspeed, an Open Portal Platform and Enterprise Information Portal written entirely in open source under the Apache license in Java and XML, and based on open standards. The vulnerability affects Apache Jetspeed version 2.3.0. The issue lies in that authentication is not enforced when calling the User Manager service of the Jetspeed REST API. It will allow for total compromise of all the information contained within the portal by an unauthenticated attacker, including allowing the attacker to add, edit, or delete users from the portal, granting administrative access, and resetting passwords of existing users.

We have added the following correlation rule to detect this malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apache Jetspeed RCE (CVE-2016-0710)

Microsoft Patch Tuesday

This week's updates include Microsoft's Patch Tuesday content. Microsoft fixed several vulnerabilities in their products, including Internet Explorer and Office. A specially crafted webpage could use the vulnerabilities related to Internet Explorer to trigger arbitrary code execution.

We have added IDS signatures and the following correlation rules to detect activity related to Internet Explorer vulnerabilities:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Browser Memory Corruption Vulnerability (CVE-2016-0105)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Browser Memory Corruption Vulnerability (CVE-2016-0109)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer AddRow OOB Access (CVE-2016-0107)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Corruption Vulnerability (CVE-2016-0113)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Corruption Vulnerability (CVE-2016-0123)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Corruption Vulnerability (CVE-2016-0124)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer CSVGHelpers Use-After-Free (CVE-2016-0111)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer GetDISPID Type Confusion(CVE-2016-0112)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2016-0108)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2016-0114)

We have also added IDS signatures and the following correlation rules to detect activity related to Office and privilege escalation vulnerabilities:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Office Memory Corruption Vulnerability Pointer Reuse (CVE-2016-0021)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Microsoft Edge RCE Attempt (CVE-2016-0117)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Windows Elevation of Privilege Vulnerability (CVE-2016-0087)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Windows Elevation of Privilege Vulnerability (CVE-2016-0106)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Windows Media Player Use-After-Free (CVE-2016-0098)

New Detection Technique - Syndicasec

Syndicasec was used in spear phishing emails targeting Indian government organizations. It installs a backdoor that can be controlled remotely. It connects to a CnC server to receive further commands. All of the RTF attachments in the spear phishing emails try to exploit the already-patched Microsoft Word ActiveX control vulnerability CVE-2012-0158.

We have added the following correlation rule to detect this malicious activity:

  • System Compromise, Trojan infection, Syndicasec

New Detection Technique - Ransomware

Cybercriminals attempted to distribute new OS X Ransomware, dubbed KeRanger, using the official installer for the BitTorrent client Transmission. This ransomware is a first for the Mac OS X platform and it is based on Linux.Encoder ransomware, according to a report by bitdefender.

We added new IDS signatures and the following correlation rule to detect this ransomware:

  • System Compromise, Ransomware infection, KeRanger

Last week, we also added IDS signatures and a correlation rule to detect another new ransomware:

  • System Compromise, Ransomware infection, Virus-Encoder

In addition to that, we updated some rules and added new IDS signatures to improve the detection of previously known ransomware families:

  • System Compromise, Ransomware infection, Filecoder
  • System Compromise, Ransomware infection, PadCrypt
  • System Compromise, Ransomware infection, Pottieq

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Backdoor, Possible Custom Content Type Manager WP Backdoor Access
  • System Compromise, Trojan infection, Agent PQQ
  • System Compromise, Trojan infection, Bl4cKs0cK
  • System Compromise, Trojan infection, jRAT
  • System Compromise, Trojan infection, Lapka
  • System Compromise, Trojan infection, Panda Banker
  • System Compromise, Trojan infection, Tarp1m
  • System Compromise, Trojan infection, TrosmAgent
  • System Compromise, Trojan infection, Unknown PowerShell SSL Activity

Updated Detection Technique - Malware SSL Certificates

We have added new Intrusion Detection System signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Zeus SSL Certificate

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We added IDS signatures and updated correlation rules to enhance exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Exploitation & Installation, Malicious website - Exploit Kit, Angler EK

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, Malware infection, Browser exploit
  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Targeted Malware, Machete - Ragua
  • System Compromise, Trojan infection, BillGates
  • System Compromise, Trojan infection, FlyStudio
  • System Compromise, Trojan infection, Fsysna
  • System Compromise, Trojan infection, Panda Banker
  • System Compromise, Trojan infection, Scarlet Mimic
  • System Compromise, Trojan infection, SpyAgent
  • System Compromise, Trojan infection, Unknown trojan