Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of April 2017

New Detection Technique - Callisto

The Callisto Group is an APT group that has been active since October of 2015 that has been known to target military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. They are also known to heavily use spear phishing attacks from legitimate compromised email accounts with malicious payloads attached. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, Callisto

New Detection Technique - Mole

Mole is a new ransomware family that is currently being distributed by a social engineering exploit kit. The ransomware author tricks users into downloading what they think is a plugin for Microsoft Office, but is actually the ransomware.

We've added IDS signatures and the following correlation rules to detect this activity:

  • System Compromise, Ransomware infection, Mole

We also added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Hidden-Tear
  • System Compromise, Ransomware infection, Locky

New Detection Technique - Cisco Catalyst RCE (CVE-2017-3881)

A vulnerability discovered in the Cisco Cluster Management Protocol processing code in Cisco IOS and IOS XE Software could allow an remote unauthenticated attacker to execute code with elevated privileges. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Cisco Catalyst RCE (CVE-2017-3881)

Microsoft/Adobe Patch Tuesday

This week's updates include Microsoft/Adobe's Patch Tuesday content. Adobe and Microsoft fixed multiple vulnerabilities in their products.

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Outlook Remote Code Execution Vulnerability Inbound (CVE-2017-0199)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Microsoft Edge Type Confusion (CVE-2017-0200)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader CVE-2017-3014 Use After Free
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Memory Corruption CVE-2017-3017
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Memory Corruption CVE-2017-3019
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Information Disclosure CVE-2017-3020
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Information Disclosure CVE-2017-3022
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Memory Corruption CVE-2017-3024
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Use After Free CVE-2017-3027
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Information Disclosure CVE-2017-3023
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Information Disclosure CVE-2017-3029
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Memory Corruption CVE-2017-3030
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Information Disclosure CVE-2017-3032
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Information Disclosure CVE-2017-3033
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Integer Overflow CVE-2017-3034
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Integer Overflow CVE-2017-3035
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Memory Corruption CVE-2017-3039
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Information Disclosure CVE-2017-3044
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Information Disclosure CVE-2017-3045
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Information Disclosure CVE-2017-3046
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader Use After Free CVE-2017-3047
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader TIFF Heap Overflow (CVE-2017-3048)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader TIFF Heap Overflow (CVE-2017-3049)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Memory Corruption CVE-2017-3056
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader Use After Free CVE-2017-3057

New Detection Techniques

We've added the following correlation rules as a result of recent exploit and malicious activity:

  • System Compromise, Trojan infection, RCS
  • System Compromise, Trojan infection, BlueNoroff/Lazarus
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible RTF 0-day
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, HTA File containing Wscript.Shell Call

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK
  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK

Updated Detection Technique - Cobalt Strike

Cobalt Strike describes itself as a "threat emulation software for red teams and penetration testers." Cobalt Strike comes with a post-exploitation agent in order to simulate APT actors and has the ability to communicate over covert channels and emulate the C2 structure of various malware. 

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, CobaltStrike

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Remcos/Remvi

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, ZLoader SSL activity

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • System Compromise, C&C Communication, Response from a DGA Domain
  • System Compromise, Trojan infection, Generic Stealer
  • System Compromise, Trojan infection, Unknown trojan
  • Delivery & Attack, Malicious website, Phishing activity