Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of October 2017

New Detection Technique - Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt

Last week, the Apache Tomcat team announced that a range of Tomcat versions (9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46, and 7.0.0 to 7.0.81) contain a remote code execution (RCE) vulnerability that works by sending an HTTP PUT request with a JSP file to an Apache Tomcat server. The malicious code is executed when the JSP file is accessed via an HTTP client. This exploit affects all operating systems.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt

New Detection Technique - Decafett

Decafett is malware used by the Lazarus Group. Decafett is interesting due to its dependence on a unique dynamic DNS provider. The C&C IP address is calculated using a hostname stored in the registry, or based on a default hostname that is hard-coded into the executable file.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, Decafett

New Detection Technique - FreeMilk

Palo Alto Networks has discovered a limited spear phishing campaign, dubbed FreeMilk, that leverages CVE-2017-0199, Microsoft Word Office/WordPad Remote Code Execution Vulnerability. This campaign uses customized email copy for each victim. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, FreeMilk

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apache Struts S2-053 (CVE-2017-12611)
  • System Compromise, Backdoor, Slove
  • System Compromise, Trojan infection, AnimusBot
  • System Compromise, Trojan infection, Black Stealer
  • System Compromise, Trojan infection, DeathBot.Java
  • System Compromise, Trojan infection, Evil Teamviewer Controller
  • System Compromise, Trojan infection, MSIL/MLSN
  • System Compromise, Trojan infection, Xwdoor

Updated Detection Technique - Amnesia

Amnesia is a variant of the IoT/Linux botnet known as "Tsunami." Amnesia botnet targets an unmatched remote code execution vulnerability in the DVR (digital video recorder) devices made by TVT Digital, which was publicly disclosed over a year ago in March 2016. 

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise,  Backdoor, Amnesia

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Ursnif SSL activity

Updated Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added  IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Locky

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  As AlienVault's Jaime Blasco described in a blog post, "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Trojan infection, APT28 activity

Updated Detection Technique - StrongPity

StrongPity is a new malware family developed by the StrongPity APT group. This group spreads their malware by utilizing watering hole attacks and infected versions of various popular software (for example, WinRAR). StrongPity malware includes components that give the attackers complete control of the victim’s system, enable them to steal disk contents, and allow them to download additional modules. 

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, StrongPity

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, WebServer Attack - CMS, Wordpress
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Zbot
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, ClipBanker
  • System Compromise, Trojan infection, KOVTER.B
  • System Compromise, Trojan infection, MSIL/Injector.MHV
  • System Compromise, Trojan infection, Nitol
  • System Compromise, Trojan infection, Ovidiy
  • System Compromise, Trojan infection, SpyAgent
  • System Compromise, Trojan infection, Unknown trojan