Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of December 2016

Emerging Threat - CVE-2016-10033

CVE-2016-10033 is a vulnerability that affects PHPMailer, one of the more popular PHP libraries for sending email. PHPMailer can be found in various open source projects such as SugarCRM, WordPress, Drupal and many others. CVE-2016-10033 enables unauthenticated remote attackers to achieve remote code execution on a web server running PHPMailer, which can lead to the compromise of the web server in question. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, CVE-2016-10033 PHPMailer RCE Attempt

New Detection Technique - DeriaLock

DeriaLock is a new ransomware family which contains variants which simply lock the victim's screen, and variants that encrypt the victim's files. When the screen locker variant is executed, it displays a full screen window requesting $30 USD to unlock the computer. The screen locker variant will also kill various processes (such as taskmgr, msconfig, cmd, etc.) in order to maintain control of the victim's screen. The file encryption variant encrypts files and appends the .deria file extension to the end. 

We've added IDS signatures and the following correlation rule to detect this activity:

  •  System Compromise, Ransomware infection, DeriaLock

New Detection Technique - Ransomware

In the past week, we have seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rule to detect multiple new ransomware families:

  • System Compromise, Ransomware infection, Nucklear

Last week, we also added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Filecoder
  • System Compromise, Ransomware infection, HydraCrypt
  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Unknown Ransomware
  • System Compromise, Ransomware infection, Cryptolocker
  • System Compromise, Ransomware infection, TowerWeb
  • System Compromise, Ransomware infection, Deshacop

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  •  System Compromise, Trojan infection, Vreikstad

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor named APT28.  ATP28 continues to be active today.  As described in a blog post, "we have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

    • System Compromise, Trojan infection, APT28 activity
    • System Compromise, C&C Communication, APT28 SSL activity

Updated Detection Technique - Dreambot

Dreambot is one of the most active variants of the Ursnif trojan. This variant sets itself apart from the others by introducing Tor and P2P communication functionality. Dreambot is currently being spread through a variety of means including, but not limited to, exploit kits, malicious links, and email attachments.

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, C&C Communication, Dreambot

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Reconnaissance & Probing, Web vulnerability scanning, Acunetix
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Generic trojan dropper
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Targeted Malware, NetTraveler
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Trojan infection, Chthonic
  • System Compromise, Malware infection, Denisca
  • System Compromise, Trojan infection, Bunitu
  • System Compromise, Trojan infection, Terdot
  • Delivery & Attack, Malicious website, Phishing activity