Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of June 2017

New Detection Technique - HIDDEN COBRA

US-CERT has released a Technical Alert (TA) about the malicious cyber activity by North Korean actors known as HIDDEN COBRA. The Technical Alert (TA) provides technical details on the tools and infrastructure used by cyber actors to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Wild Positron/Duuzer, and Hangman.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, HIDDEN COBRA

New Detection Technique - Trend Micro Control Manager 6.0 Vulnerabilities

Trend Micro Control Manager 6.0 has a vulnerability which allows an attacker to bypass the authentication process by adding and setting a specific value to a cookie. This flaw can further be exploited to read xml files.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Trend Micro Control Manager 6.0 Arbitrary File Read
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Trend Micro Control Manager 6.0 Authentication Bypass

New Detection Technique - DDOS Siemens SIPROTEC (CVE-2015-5374)

Industroyer malware contains a Denial-of-Service (DoS) component that can be used against Siemens SIPROTEC devices. This tool leverages the CVE-2015-5374 vulnerability by sending specifically-crafted UDP packets to port 50,000 of the target IP addresses.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Delivery & Attack, Denial of Service - Known vulnerability, DDOS Siemens SIPROTEC (CVE-2015-5374)

New Detection Technique - TerraMaster Arbitrary File Upload

TerraMaster F2-420 NAS has an unauthenticated Remote Code Execution vulnerability. Authentication can be bypassed by setting kod_name cookie to any value, and allows you to upload any file to any location on the file system while the web server is running as root.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, TerraMaster Arbitrary File Upload

New Detection Technique - HP Printer Attempted Path Traversal via PJL

A Path Traversal vulnerability exists in certain HP printers that can be utilized by attackers to execute arbitrary code.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Sensitive Data - Configuration File, HP Printer Attempted Path Traversal via PJL

Microsoft/Adobe Patch Tuesday

This week's updates include Microsoft/Adobe's Patch Tuesday content. Adobe and Microsoft fixed multiple vulnerabilities in their products.

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe ATF Memory Corruption (CVE-2017-3078)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash AdvertisingMetadata UAF (CVE-2017-3084)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash Display List Structure UAF (CVE-2017-3081)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash Raster OOB (CVE-2017-3079)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apache ActiveMQ RCE Possible JSP Upload (CVE-2016-3088)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, CVE-2017-8543 SMB CPMSetBindings RCE
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Edge Type Confusion RCE Vuln (CVE-2017-8497)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Edge Type Confusion Vuln (CVE-2017-8524)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS Edge UAF (CVE-2017-8496)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Print Preview Info Disclosure Vuln
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Windows 10 LNK RCE (CVE-2017-8464)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Windows IIS Webdav RCE (CVE-2017-7269)

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rule to detect new ransomware families:

  • System Compromise, Ransomware infection, Ishtar

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Filecoder
  • System Compromise, Ransomware infection, Jaff

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Win32/OmgTick

Updated Detection Technique - MacSpy

MacSpy is a remote access trojan for the OSX platform currently being sold in underground forums. It acts as a spyware on the infected system, capturing screenshots, keystrokes, and clipboard data, and sending it to a C&C server. The C&C server can send commands to the RAT to perform additional malicious activity.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Malware RAT, MacSpy

Updated Detection Technique - Samba RCE Attempt (CVE-2017-7494)

A vulnerability in Samba software was disclosed. The vulnerability allows a user to upload a shared library to a writeable share on a vulnerable Samba server, and then cause the server to execute the uploaded file. This would allow an attacker to upload an exploit payload to a writeable Samba share, resulting in code execution on any server running an affected version of the Samba package. This vulnerability currently affects all versions of Samba 3.5.0 and later.

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Samba RCE Attempt (CVE-2017-7494)

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Correlation Rules

  • We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Environmental Awareness, Vulnerable software, Adobe Flash
  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK
  • System Compromise, Backdoor, Webshell followed by console activity
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Service Exploit, Attacker gained shell access
  • System Compromise, Trojan infection, Andromeda
  • System Compromise, Trojan infection, Dynamer
  • System Compromise, Trojan infection, Jeefo
  • System Compromise, Trojan infection, Kryptik
  • System Compromise, Trojan infection, Nemucod
  • System Compromise, Trojan infection, Neshta
  • System Compromise, Trojan infection, Swisyn
  • System Compromise, Trojan infection, Unknown trojan