Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of June 2017

New Detection Technique - BeEF

BeEF, Browser Exploitation Framework, is a penetration testing tool that focuses on the web browser. BeEF will hooks one or more web browsers and use them as jump boxes for launching directed command modules and further attacks against the system from within the browser context.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Environmental Awareness, Hacking tool, BeEF Tool

New Detection Technique - HP Printer RCE Attempt

A remote code execution vulnerability exists in certain HP printers. This vulnerability is due to the way PJL, Printer Job Language, is interpreted by the printers, specially crafted packets can lead to an attacker being able to gain code execution. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, HP Printer RCE Attempt

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, KaroCrypt
  • System Compromise, Ransomware infection, Erebus

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Mole

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Magnitude EK
  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK

Updated Detection Technique - FF-Rat

FF-Rat is a proxy aware RAT that has been targeting a number of different industries such as aerospace, telecommunications, and government for at least the last 5 years. 

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Malware RAT, FF-RAT

Updated Detection Technique - Pegasus

Pegasus is a sophisticated piece of mobile malware developed and sold by a secretive Israeli surveillance technology company called the NSO Group. This malware exploits three different vulnerabilities (CVE-2016-4655, CVE-2016-4656 and CVE-2016-4657) in Apple's iOS to gain a foothold on the target's device. Depending on which modules were purchased, upon installation the malware has access to everything from messages and calls to Facebook and Gmail, along with everything in between.

We've added IDS signatures and updated the following correlation rule to detect Pegasus activity:

  • System Compromise, Trojan infection, Pegasus

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Outlook Remote Code Execution Vulnerability Inbound (CVE-2017-0199)
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Trojan infection, Adload
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, Dinwod
  • System Compromise, Trojan infection, Generic Stealer
  • System Compromise, Trojan infection, MSIL/IRCBot
  • System Compromise, Trojan infection, Unk
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Ursniff
  • System Compromise, Trojan infection, x0Proto