Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of August 2017

New Detection Technique - Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host RCE attempt

There is a vulnerability in the handling of the hostname header in the status GET request. The exploitation of this vulnerability can result in remote command execution. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host RCE attempt

New Detection Technique - Possible User-After-Free CVE-2014-0312

There is a vulnerability in Microsoft Internet Explorer 8 through 11 that allows remote attackers to execute arbitrary code or cause a denial of service via memory corruption utilizing a specially crafted malicious web site.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible User-After-Free CVE-2014-0312

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, Defray
  • System Compromise, Ransomware infection, LockCrypt

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, GlobeImposter
  • System Compromise, Ransomware infection, Locky

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Delivery & Attack, Denial of Service - Known vulnerability, CLDAP Amplification Reflection
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MSIE/Edge Browser Type Confusion Vuln (CVE-2017-0037)
  • Exploitation & Installation, Malicious website - Exploit Kit, Disdain EK
  • System Compromise, Backdoor, Bummmblebee
  • System Compromise, Trojan infection, Almanahe
  • System Compromise, Trojan infection, Compromised Chrome Extension
  • System Compromise, Trojan infection, ShadowPad
  • System Compromise, Trojan infection, Urelas

Updated Detection Technique - Cobalt Strike

Cobalt Strike describes itself as a "threat emulation software for red teams and penetration testers." Cobalt Strike comes with a post-exploitation agent in order to simulate APT actors. It has the ability to communicate over covert channels and emulate the C2 structure of various malware. 

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, CobaltStrike

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Gozi SSL Activity

Updated Detection Technique - KopiLuwak

KopiLuwak is a malicious JavaScript payload created by the Turla group to launch cyberespionage operations. Turla is a Russian APT group that has been known to be leveraging many different families of malware, satellite-based command and control (C&C) servers, and malware for non-Windows operating systems. The KopiLuwak malware is fairly simplistic but flexible in its functionality, running a standard batch of profiling commands on the victim. It also allows the actors to run arbitrary commands via Wscript.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, KopiLuwak

Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We added IDS signatures and correlation rules to detect the following RAT activity.

  • System Compromise, Malware RAT, njRAT

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MSXMLHTTP Request
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Emotet
  • System Compromise, Malware infection, Generic
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, Formbook
  • System Compromise, Trojan infection, Nuclear/APT30
  • System Compromise, Trojan infection, Speccom
  • System Compromise, Trojan infection, Squiblydoo Scriptlet Download
  • System Compromise, Trojan infection, XnxxAgent
  • System Compromise, Trojan infection, Zyklon