Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of March

New Detection Technique - Avtech

Multiple vulnerabilities have been found in the video surveillance products of Avtech, one of the world's leading manufacturers of a full range of surveillance products. Due to the apparent use of a common codebase, and lack of various security mitigations throughout their products, the discovered vulnerabilities will work on numerous other devices in the Avtech family. Such actions can be seen in the new ARM Linux malware ELF_IMEIJ.A, which exploits a CGI Directory vulnerability in CloudSetup.cgi to trigger the malware download. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Avtech - Authenticated command injection vulnerability

New Detection Technique - DBLTek-GoIP Backdoor Account

Trustwave's Spider Labs recently discovered and reported an undocumented backdoor account in numerous DblTek branded devices. The undocumented vendor backdoor allows attackers to gain access to a shell with root level privileges, since this user account is protected by a fundamentally flawed challenge-response authentication scheme. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Backdoor Account login attempt in DBLTek-GoIP

New Detection Technique - Misdat

Cylance research indicated that Misdat is an early backdoor used by the Dust Storm group, who have been operational since early 2010.  The group has utilized various operational techniques such as spear phishing, watering hole attacks, and numerous zero-day attacks.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Misdat

New Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine. We've added IDS signatures and the following correlation rules to detect new RAT activity:

  • System Compromise, Malware RAT, Snow
  • System Compromise, Malware RAT, SpyLuk

We've also added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, PlugX
  • System Compromise, Malware RAT, Remcos/Remvio
  • System Compromise, Malware RAT, njRAt

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, Locker

We also added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Sage
  • System Compromise, Ransomware infection, Samsam
  • System Compromise, Ransomware infection, Torrent locker

New Detection Techniques

We've added the following correlation rules as a result of recent exploit activity:

  • System Compromise, C&C Communication, ZLoader SSL activity
  • System Compromise, Trojan infection, Clifigcon
  • System Compromise, C&C Communication, Destover SSL activity

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Astrum EK
  • Delivery & Attack, Malicious website - Exploit Kit, DNSChanger EK
  • Delivery & Attack, Malicious website - Exploit Kit, EITest EK
  • Delivery & Attack, Malicious website - Exploit Kit, Hunter EK
  • Delivery & Attack, Malicious website - Exploit Kit, Magnitude EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Neutrino EK
  • Delivery & Attack, Malicious website - Exploit Kit, Spartan EK
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
  • Delivery & Attack, Malicious website - Exploit Kit, Terror EK
  • Delivery & Attack, Malicious website - Exploit Kit, Unknown Chinese EK
  • Delivery & Attack, Malicious website - Exploit Kit, Unknown EK

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families, including:

  • System Compromise, C&C Communication, Chthonic SSL activity
  • System Compromise, C&C Communication, DustySky SSL activity
  • System Compromise, C&C Communication, Gozi SSL Activity
  • System Compromise, C&C Communication, Panda Banker SSL activity
  • System Compromise, C&C Communication, Ursnif SSL activity

Updated Detection Technique - Apache Struts S2-045 RCE (CVE-2017-5638)

A vulnerability exists in the Jakarta Multipart parser in Apache Struts 2 (versions 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1) that allows attackers to execute arbitrary commands via a specially crafted Content-Type HTTP header. 

We've updated the following correlation rule to detect this malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apache Struts S2-045 RCE (CVE-2017-5638)

Updated Detection Technique - StoneDrill

StoneDrill is a new wiper malware variant of the notorious Shamoon worm, which devastated a Saudi Arabian company in 2012 by wiping over 35,000 computers.  While StoneDrill has similarities to Shamoon, to better evade detection it uses new tools and techniques, has a functional ransomware component, and is less reliant on command and control (C&C) servers. 

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, StoneDrill

Updated Detection Technique – DustySky

DustySky is composed of multiple pieces: a dropper, keylogger, and backdoor. It attempts to avoid running in a virtual machine and checks for the presence of anti-virus software. DustySky is known to be used by the Molerats attacker group.

We added IDS signatures and updated correlation rules to detect DustySky activity:

  • System Compromise, Trojan infection, DustySky

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • System Compromise, Hacking tool, PHP Shell C99
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Soraya
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Trojan infection, Generic PowerShell
  • System Compromise, Trojan infection, Gozi
  • System Compromise, Trojan infection, Hiloti
  • System Compromise, Trojan infection, MSIL/Injector.MHV
  • System Compromise, Trojan infection, SpyBanker
  • System Compromise, Trojan infection, Unk
  • System Compromise, Trojan infection, Unknown PowerShell
  • System Compromise, Trojan infection, Unknown trojan

Note: This week we also preformed some optimization to the ruleset, which resulted in 706 correlation rules being updated.