Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of October 2017

New Detection Technique - Apache Solr/Lucene CVE-2017-12629 RCE Exploit Attempt

An arbitrary remote code execution vulnerability exists in Apache Solr due to a bug in how "RunExecutableListener" class handles update queries. An HTTP request with any parameters to Solr API can enable the listener when using 'add-listener' command and execute arbitrary shell commands when "postCommit" event is fired.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apache Solr/Lucene CVE-2017-12629 RCE Exploit Attempt

New Detection Technique - HKDoor

Cylance recently discovered a RAT that resembles “Hacker’s Door,” a Chinese backdoor that has been around since 2004. The RAT consists of a backdoor and rootkit component, and it provides typical RAT functionality such as gathering system information, opening Telnet and RDP servers, etc. The RAT sample analyzed by the Cylance team was signed with a stolen certificate that is known to be used by the Winnti APT group.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Malware RAT, HKDoor

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, Anubi
  • System Compromise, Ransomware infection, Magniber

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Unknown Ransomware

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Backdoor, Orz JavaScript
  • System Compromise, Trojan infection, CoinStealer
  • System Compromise, Trojan infection, Nkdoor
  • System Compromise, Trojan infection, Orion Logger
  • System Compromise, Trojan infection, Phandoor
  • System Compromise, Trojan infection, PSHELL Downloader
  • System Compromise, Trojan infection, Trojan.JS.Agent.dwz

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, Trojan infection, Browser Coinminer SSL Activity

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  As AlienVault's Jaime Blasco described in a blog post, "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Trojan infection, APT28 activity

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Suspicious Behaviour, Suspicious user-agent detected
  • System Compromise, Trojan infection, Browser Coinminer
  • System Compromise, Trojan infection, MSIL/CoalaBot
  • System Compromise, Trojan infection, NoBo
  • System Compromise, Trojan infection, Panda Banker
  • System Compromise, Trojan infection, Unk
  • System Compromise, Trojan infection, Winnti