Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of June 2016

New Detection Technique - Apache Continuum Arbitrary Command Execution

Apache Continuum, a continuous integration server for Java projects, is vulnerable to an unauthenticated command injection attack and reflected XSS. A remote attacker could execute arbitrary commands by sending a POST request to saveInstallation.action with a specially crafted installation.varValue parameter.

We've added IDS signatures and created the following correlation rule to detect this activity:

  • Exploitation & Installation, Vulnerable software, Apache Continuum Arbitrary Command Execution

New Detection Technique - Goopic

A new family of ransomware, Goopic, is being dropped by the Rig exploit kit. This particular ransomware is "upping the ante" by asking victims to pay $500 to get their data decrypted. Another unique attribute of this ransomware is the time it allows victims to pay; instead of the standard 24 to 72 hours, Goopic allows users 90 hours to come up with the ransom. 

We've added IDS signatures and created the following correlation rule to detect Goopic:

  • System Compromise, Ransomware infection, Goopic

Last week we also updated some rules and added new IDS signatures to improve the detection of previously known ransomware families:

  • System Compromise, Ransomware infection, RumbleCrypt
  • System Compromise, Ransomware infection, Unknown Ransomware

New Detection Technique - Malware

We've added the following correlation rules due to recent malicious activity:

  • System Compromise, Trojan infection, APT28 EK
  • System Compromise, Trojan infection, PluginDetect/Evercookie
  • System Compromise, Trojan infection, Syscan
  • System Compromise, Trojan infection, W32/Trojan.Offend
  • System Compromise, Trojan infection, Wbmoney

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Neutrino EK
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network.

We've updated the correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain.

We've updated a correlation rule that groups together different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Detection Technique - Malware SSL Certificates

We have added new Intrusion Detection System signatures to include the list of certificates identified by to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Ursnif SSL activity

Updated Correlation Rules

We've updated the following correlation rules due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Backdoor, Bladabindi
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Malware RAT, Poison Ivy
  • System Compromise, Trojan infection, AgentTesla
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, DiamondFox
  • System Compromise, Trojan infection, Farfli
  • System Compromise, Trojan infection, Generic Stealer
  • System Compromise, Trojan infection, IndigoRose
  • System Compromise, Trojan infection, Loadmoney
  • System Compromise, Trojan infection, Malicious Ethereum
  • System Compromise, Trojan infection, Neshta
  • System Compromise, Trojan infection, Win32.Androm