Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of November 2016

New Detection Technique - XM1RPC Spam Backdoor

A new spam & backdoor campaign targeting Wordpress sites has been discovered. It is dubbed 'XM1RPC', which refers to the filename 'xm1rpc.php' that is being used in the campaign to confuse the administrators familiar with XML-RPC. The malware is known to infect all the sites on the server that share the same FTP account. 

We've added IDS signatures and created the following correlation rule to detect this activity: 

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, XM1RPC Spam Backdoor

New Detection Techniques

The following correlation rules have been added due to recent malicious activity:

  • Environmental Awareness, Covert channel, UltraVNC
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, AVTECH IP Camera Auth Bypass Vulnerablity
  • System Compromise, Trojan infection, RediModiUpd

Microsoft Patch Tuesday

This week's updates include Microsoft's Patch Tuesday content. Microsoft fixed vulnerabilities in their Edge Browser, Internet Explorer, and other components of Windows.

We've added IDS signatures and correlation rules to detect the following activity: 

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Null Character Classid RCE (CVE-2016-7195)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Microsoft Internet Explorer mshtml.dll Use After Free Vulnerability (CVE-2016-7196)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Microsoft Edge edgehtml Memory Corruption (CVE-2016-7198)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7201)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Microsoft Edge Buffer Overflow (CVE-2016-7202)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Microsoft Edge Chakra.dll Heap Overflow (CVE-2016-7203)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Microsoft Edge File Disclosure Vulnerablity (CVE-2016-7204)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Microsoft Edge Buffer Overflow (CVE-2016-7217)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer 11 Windows 10 Information Disclosure (CVE-2016-7227)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Excel corrupted incorrect COLINFO record download (CVE-2016-7228)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7240)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Microsoft Edge JSON.parse RCE (CVE-2016-7241)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7242)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible UNC Path in Vulnerable SQL Query (CVE-2016-7250)

Updated Detection Technique - iOS Pegasus Safari Exploit (CVE-2016-4657)

A threat using three critical iOS zero-day vulnerabilities was uncovered by Citizen Lab and Lookout. When the three vulnerabilities are exploited together, they form an attack chain that subverts Apple’s strong security environment, hence the vulnerabilities are dubbed “Trident.” Trident is being used in a spyware product called Pegasus. Pegasus is highly advanced in its use of zero-days, obfuscation, encryption, and kernel-level exploitation. Apple has fixed all three Trident iOS vulnerabilities in its 9.3.5 patch.

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, iOS Pegasus Safari Exploit (CVE-2016-4657) 

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families including:

  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Gozi SSL Activity
  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity: 

  • System Compromise, Malware RAT, Poison Ivy
  • System Compromise, Malware RAT, Remcos/Remvio
  • System Compromise, Malware RAT, Unknown RAT

Updated Detection Technique - Ransomware

Last week we added IDS signatures and updated correlation rules to detect several ransomware families: 

  • System Compromise, Ransomware infection, Cerber 
  • System Compromise, Ransomware infection, Enigma
  • System Compromise, Ransomware infection, PornoAsset 

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28. ATP28 continues to be active today. As we described in a blog post: "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and updated the following correlation rule to detect APT28 activity: 

  • System Compromise, Trojan infection, APT28 activity 

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity: 

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • System Compromise, Backdoor, Mocker
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Targeted Malware, APT29
  • System Compromise, Targeted Malware, APT29 SSL Activity
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, Hancitor
  • System Compromise, Trojan infection, Keitaro TDS
  • System Compromise, Trojan infection, Tinba
  • System Compromise, Trojan infection, Unknown trojan