Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of January.

New Detection Technique - Chrome WebEx Extension RCE Attempt

A vulnerability discovered in the Cisco WebEx browser extension could potentially allow an unauthenticated remote attacker to execute commands on the affected system. 

We've added IDS signatures and the following correlation rule to detect this activity:

Exploitation & Installation, Client Side Exploit - Known Vulnerability, Chrome WebEx Extension RCE Attempt

New Detection Technique - Microsoft RDP Client for Mac RCE

A vulnerability in Microsoft Remote Desktop for Mac allows a remote attacker to potentially execute commands on a victim's machine. While user interaction is needed for the successful exploit of this vulnerability, a link sent via email is enough to trigger the exploit due to the fact that Mac OS X, by default, opens RDP URLs with no confirmation. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft RDP Client for Mac RCE

New Detection Technique - Greenbug Ismdoor

The Greenbug cyberespionage group was discovered by Symantec while investigating reports of a new attack in the Middle East targeting various companies in the government, aviation, investment, and energy sectors. The group uses a custom Remote Access Trojan (RAT) known as Ismdoor as well as additional hacking tools to steal sensitive credentials from the compromised organizations.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, Greenbug Ismdoor

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, Go
  • System Compromise, Ransomware infection, Sage
  • System Compromise, Ransomware infection, Satan

Last week, we also added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Cry
  • System Compromise, Ransomware infection, SDLocker

New Detection Techniques

We've added the following correlation rules as a result of recent malicious activity:

  •  Reconnaissance & Probing, Service discovery, MS Terminal Server taffic on Non-standard Port
  • System Compromise, Trojan infection, Agent APJCSystem Compromise, Trojan infection, ChChes 
  • System Compromise, Trojan infection, GorynychSystem Compromise, Trojan infection, Linux.Rex 
  • System Compromise, Trojan infection, PowerOrtniSystem Compromise, Trojan infection, Quimitchin
  • System Compromise, Trojan infection, Win32/Barlaiy

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
  •  Exploitation & Installation, Malicious website - Exploit Kit, RIG EK

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  As described in a blog post, "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Trojan infection, APT28 activity

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Panda Banker SSL activity
  • System Compromise, C&C Communication, Ursnif SSL activity

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

Delivery & Attack, Malicious website, Phishing activity

  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Targeted Malware, ZeroT
  • System Compromise, Trojan infection, Banbra  
  • System Compromise, Trojan infection, Carbanak 
  • System Compromise, Trojan infection, Rerdom
  • System Compromise, Trojan infection, Sality
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Win32.Androm
  • System Compromise, Trojan infection, Zeus