Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of May 2017

New Detection Technique - Possible Samba RCE Attempt (CVE-2017-7494)

A new vulnerability in Samba software has been disclosed. The vulnerability allows a user to upload a shared library to a writeable share on a vulnerable Samba server, and then cause the server to execute the uploaded file. This would allow an attacker to upload an exploit payload to a writeable Samba share, resulting in code execution on any server running an affected version of the Samba package. This vulnerability currently affects all versions of Samba 3.5.0 and later.

We've added IDS signatures and the following correlation rule to detect exploit activity against Samba:

  • System Compromise, Trojan infection, Possible Samba RCE Attempt (CVE-2017-7494)

New Detection Technique - Adylkuzz

Adylkuzz is a cryptocurrency miner discovered by Proofpoint while investigating the WannaCry ransomware attack. Adylkuzz uses both the EternalBlue and DoublePulsar exploits to infect a machine and, once running, downloads the mining instructions, cryptominer, and cleanup tools. Symptoms of the attack include loss of access to shared Windows resources and degradation of PC and server performance. Interestingly, in some cases, Adylkuzz may have limited the spread of the WannaCry ransomware, as Adylkuzz shuts down SMB networking to prevent further infections of the machine with other malware.

We've added IDS signatures and the following correlation rule to detect Adylkuzz activity:

  • System Compromise, Trojan infection, Adylkuzz

New Detection Technique - Rakos

Rakos is a malware that targets both embedded devices and servers with an open SSH port and where a very weak password has been set. The objective of Rakos is to assemble a list of unsecured devices and to create a botnet consisting of as many zombies as possible.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Rakos

New Detection Techniques

We've added the following correlation rules as a result of recent exploit and malicious activity:

  • Delivery & Attack, Client Side Exploit - Known Vulnerability, Veritas Netbackup RCE
  • Delivery & Attack, Suspicious File, Malicious SCF File Inbound
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Potential ASUS RT router Information Disclosure
  • System Compromise, C&C Communication, Hidden-Tear SSL activity
  • System Compromise, C&C Communication, May Ransomware SSL activity
  • System Compromise, Ransomware infection, EasyLocker
  • System Compromise, Ransomware infection, PyteHole
  • System Compromise, Trojan infection, Win32/ASPC
  • System Compromise, Trojan infection, ZLoader

Updated Detection Technique - WannaCry

WannaCry, also known as WannaCrypt, WanaCrypt0r 2.0 or wCry, is a new ransomware variant that utilizes the EternalBlue and DoublePulsar exploits to spread in a worm-like fashion. Researchers located a "kill switch" in the ransomware in the form of a domain lookup, which prevents the ransomware from running. Due to WannaCry's simplistic architecture, it has resulted in numerous copycat variants in the wild.

We've added IDS signatures and updated the following correlation rule to better detect this activity:

  • System Compromise, Ransomware infection, WannaCry

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Hidden-Tear

Updated Detection Technique - GhostAdmin

GhostAdmin is a malicious bot that works by infecting computers, gaining boot persistence, and establishing a communications channel with its command and control (C&C) server via an IRC channel. It has the ability to collect data from the infected computer and silently send it to a remote server. Once the communication channel is established, GhostAdmin can execute many commands, including interacting with the victim's filesystem, browsing to specific URLs, downloading and executing new files, taking screenshots, recording audio, enabling remote desktop connections, exfiltrating data, deleting log files, interacting with local databases, wiping browsing history, and more.

We've added IDS signatures and updated the following correlation rule to better detect this activity:

  • System Compromise, Trojan infection, GhostAdmin

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Orcus RAT SSL activity

Updated Detection Technique - Cobalt Strike

Cobalt Strike describes itself as a "threat emulation software for red teams and penetration testers." Cobalt Strike comes with a post-exploitation agent in order to simulate APT actors and has the ability to communicate over covert channels and emulate the C2 structure of various malware. 

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, CobaltStrike

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible MS17-010
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware RAT, Unknown RAT
  • System Compromise, Trojan infection, Enfal
  • System Compromise, Trojan infection, Keitaro TDS
  • System Compromise, Trojan infection, Loki Bot
  • System Compromise, Trojan infection, Neutrino
  • System Compromise, Trojan infection, Steam Filestealer Extreme
  • System Compromise, Trojan infection, Unknown trojan