Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of October 2017

New Detection Technique - icmptunnel

icmptunnel is a tool that encapsulates IP traffic in ICMP echo packets and then forwards them to a proxy server. This can be used to bypass captive portals and firewalls. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, icmptunnel

New Detection Technique - MODX Revolution 2.5.6 Blind SQL Injection

A SQL injection vulnerability exists in the xPDO library used by MODX Revolution 2.5.6. The "resource/getNodes" and "system/contenttype/ getlist" actions are vulnerable due to the lack of input sanitation, and allow an authenticated attacker to read privileged data from database.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MODX Revolution 2.5.6 Blind SQL Injection

New Detection Technique - NETGEAR ReadyNAS Surveillance Command Injection Attempt

A unauthenticated command injection vulnerability exists due to the lack of input sanitation of the ''uploaddir" parameter. Specially-crafted packets can lead to an attacker being able to gain code execution. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, NETGEAR ReadyNAS Surveillance Command Injection Attempt

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, Trojan.MSIL.Filecoder.JW

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Sage

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible TSIG authentication bypass (MAC size mismatch)
  • System Compromise, Trojan infection, VJWorm
  • System Compromise, Trojan infection, Browser Coinminer SSL Activity
  • System Compromise, Trojan infection, Worm.MSIL.Arcidwind.A
  • System Compromise, Trojan infection, CStrike
  • System Compromise, Trojan infection, DNSMessenger
  • System Compromise, Trojan infection, APT.Vemics
  • System Compromise, C&C Communication, Revcode SSL activity
  • System Compromise, Trojan infection, Browser Coinminer
  • System Compromise, Trojan infection, Gafanhoto

Updated Detection Technique - CCleaner

CCleaner is an application that allows users to perform routine maintenance on their systems including cleaning of temporary files. The installer for CCleaner v5.33, which was being delivered to endpoints by the legitimate CCleaner download servers, has been infected with malware containing a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality.

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Backdoor, CCleaner

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Panda Banker SSL activity

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  As AlienVault's Jaime Blasco described in a blog post, "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Trojan infection, APT28 activity

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • System Compromise, Backdoor, Bladabindi
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Trojan infection, AgentTesla
  • System Compromise, Trojan infection, Kryptik
  • System Compromise, Trojan infection, Unknown trojan