Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of September 2017

New Detection Technique - Apache OptionsBleed (CVE-2017-9798)

OptionsBleed is a bug in the widely used Apache Web Server that causes servers to leak pieces of arbitrary memory in a way that could expose passwords or other secrets. The vulnerability can be triggered by querying a server with HTTP OPTIONS requests. OPTIONS is a type of HTTP method that allows users to determine which HTTP requests are supported by the server.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apache OptionsBleed (CVE-2017-9798)

New Detection Technique - CCleaner

CCleaner is an application that allows users to perform routine maintenance on their systems including cleaning of temporary files. The installer for CCleaner v5.33, which was being delivered to endpoints by the legitimate CCleaner download servers, has been infected with malware containing a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Backdoor, CCleaner

New Detection Technique - TURNEDUP

TURNEDUP is a backdoor used by APT33, an attack group that has carried out cyber espionage operations and appears to work for the Iranian government. TURNEDUP is capable of uploading and downloading files, creating a reverse shell, taking screenshots, and gathering system information.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Backdoor, TURNEDUP

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, W32.Princess

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Generic Ransomware

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Delivery & Attack, Malicious website - Exploit Kit, GrandSoft EK
  • System Compromise, Trojan infection, Lucifer
  • System Compromise, Trojan infection, MSIL.GuFran
  • System Compromise, Trojan infection, Trickbot

Updated Detection Technique - .NET SOAP Code Injection (CVE-2017-8759)

CVE-2017-8759, a vulnerability that has been discovered in the Microsoft .NET Framework (2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7), allows an attacker to execute code remotely via a malicious document or application.

We've updated IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, .NET SOAP Code Injection (CVE-2017-8759)

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Emotet
  • System Compromise, Malware infection, Generic
  • System Compromise, Trojan infection, Bancos
  • System Compromise, Trojan infection, Generic Python malware