Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of December 2016

Emerging Threat - CVE-2016-8610

CVE-2016-8610 is a vulnerability in the popular OpenSSL library. If exploited, this vulnerability could result in a denial of service. This is due to the improper handling of SSL3_AL_WARNING packets in the function "ssl3_read_bytes" in ssl/s3_pkt.c. To exploit this vulnerability, an attacker could repeatedly send the SSL3_AL_WARNING during the SSL handshake, which causes 100% CPU utilization. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • Delivery & Attack, Denial of Service - Known vulnerability, SSL Death Alert (CVE-2016-8610)

New Detection Technique - Nuclear Bot

Nuclear bot is a new family of banking malware currently for sale on the underground markets. When the dropper is first run, it runs several checks for well-known malware analysis tools. If any are found, the malware will delete all traces of itself. If the check passes, it then executes the "bot" portion of the malware. This bot portion reaches out to the command and control (C&C) server to receive the various web injects that it will utilize for credential theft. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Nuclear Bot

New Detection Technique - CryptoBlock

CryptoBlock is a new ransomware family that appears to still be in active development. Even though the ransomware displays a lock screen after it runs (similar to that of CryptoLocker), the malware does not actually encrypt any files. The malware creates copies of the original files with scrambled file names, and leaves the original copies intact. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Ransomware infection, CryptoBlock

New Detection Technique - Ransomware

In the past week, we have seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect multiple new ransomware families:

  • System Compromise, Ransomware infection, Braincrypt
  • System Compromise, Ransomware infection, Shijin

Last week, we also added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Encryptor RaaS
  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Hidden-Tear
  • System Compromise, Ransomware infection, Unknown Ransomware

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Pubsapp
  • System Compromise, Trojan infection, FREELOAD
  • System Compromise, Trojan infection, Dagobert
  • System Compromise, Trojan infection, Obnovi.B
  • System Compromise, Trojan infection, Gooligan

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, DNSChanger EK
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor named APT28.  ATP28 continues to be active today.  As described in a blog post, "we have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Trojan infection, APT28 activity

Updated Detection Technique -  Linux.Mirai

Linux.Mirai is a malware designed to hijack busybox systems to perform DDoS attacks. It made news recently as the bot used in the DDoS attack on Brian Kreb’s popular security blog. Mirai is known for how easily it can victimize IoT devices. It can generate hundreds of thousands of botnets with the widespread use of telnet and a list of factory-default usernames and passwords for vulnerable IoT devices.

The source code for Linux.Mirai bot was released a few weeks ago. According to Radware, the loader and bot are coded in C, while the scanListen and command and control (C&C) service are written in Go, effectively leveraging go-routines and channels in an efficient Communicating Sequential Processes (CSP) design pattern.

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Linux.Mirai

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network.

We've updated the correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Denial of Service - Known vulnerability, Microsoft Windows LSASS Remote Memory Corruption
  • System Compromise, Trojan infection, Banker
  • System Compromise, Malware infection, Generic
  • System Compromise, Trojan infection, Generic trojan dropper
  • System Compromise, Malware infection, SpyClicker.ClickFraud
  • System Compromise, Malware infection, Tofsee
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Trojan infection, Generic Keylogger
  • System Compromise, Trojan infection, Terdot
  • Delivery & Attack, Malicious website, Phishing activity