Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of June 2017

New Detection Technique - PLATINUM

PLATINUM is an APT actor that has been known to target South and Southeast Asian companies of various industries, originally discovered in April 2016. Since then, an updated tool linked to the group has been discovered that utilizes the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for communication. Until this incident, no malware had been discovered misusing the AMT SOL feature for communication.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, PLATINUM

New Detection Technique - APT19

APT19 is a group composed of freelancers, with some degree of Chinese government sponsorship, that has been observed running a phishing campaign which targets at least seven global investment and law firms. They have used various techniques in order to attempt to compromise targets, such as malicious RTFs and macro-enabled excel documents. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, APT19

New Detection Technique - Fireball

Fireball is a piece of malware that targets browsers that has two primary functions, which include the ability to run code on the victim's computer and the manipulation of the user's web browsers to generate ad-revenue. Currently Fireball installs browser plugins and additional configurations in order to increase its advertisements, but it could easily be used to distribute malware. Fireball has infected over 250 million computers worldwide, up to 20% of which are in corporate networks.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Malware RAT, Fireball

New Detection Technique - WiMAX Authentication Bypass (CVE-2017-3216)

Due to a vulnerability, located in commit2.cgi implemented in libmtk_httpd_plugin.so, various WiMAX devices are vulnerable to an authentication bypass. This vulnerability results in attacker being able to set arbitrary configuration values without prior authentication. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, WiMAX Authentication Bypass (CVE-2017-3216)

New Detection Technique - Informix Dynamic Server Vulnerabilities

Informix Dynamic Server and the Informix Open Admin Tool recently patched a number of vulnerabilities ranging from heap overflows to php injections. If left unpatched, these vulnerabilities could result in a remote attacker having command execution on the systems. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, IBM Informix Dynamic Server Developer Heap Overflow
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, IBM Informix Dynamic Server Developer PHP Injection RCE

New Detection Technique - Hadoop RCE

Due to a "feature" in Hadoop, an unauthenticated attacker has the ability to pass arbitrary input to MapReduce in the form of the command to be executed.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Hadoop Command Injection Attempt

New Detection Technique - icmpsh

icmpsh is a tool that enables an attacker to exfiltrate data covertly utilizing the ICMP protocol. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • Environmental Awareness, Covert channel, icmpsh

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, Executioner

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Hidden-Tear

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Weak Configuration - Unauthenticated Access, OTRS Installation Dialog (after auth) attempt
  • System Compromise, Trojan infection, Hana
  • System Compromise, Trojan infection, Patpoopy
  • System Compromise, Trojan infection, Squiblydoo Scriptlet Download
  • System Compromise, Malware RAT, ColorFish

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, EITest EK
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Unknown RAT

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, Bunitu
  • System Compromise, Trojan infection, Carbanak
  • System Compromise, Trojan infection, MSIL/IRCBot
  • System Compromise, Trojan infection, Neshta
  • System Compromise, Trojan infection, Qakbot
  • System Compromise, Trojan infection, Stimilik
  • System Compromise, Trojan infection, Unk
  • System Compromise, Trojan infection, Unknown trojan