Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of July 2016
New Detection Technique - Centreon 2.5.3 Web Useralias RCE
Centreon is popular open source monitoring solution. The Centreon Web Interface, <= 2.5.3, uses an insecure function to log SQL errors. This functionality can be abused for remote code execution via the login screen prior to user authentication.
We've added IDS signatures and created the following correlation rule to detect this activity:
- Exploitation & Installation, Client Side Exploit - Known Vulnerability, Centreon 2.5.3 Web Useralias RCE
New Detection Technique - LastPass RCE
LastPass is a popular and widely used password manager. A vulnerability was found in LastPass that would enable attackers to remotely execute arbitrary commands on the victims system, which could lead to the potentially exposure of the entire password database.
We've added IDS signatures and created the following correlation rule to detect this activity:
- Exploitation & Installation, Client Side Exploit - Known Vulnerability, LastPass RCE
New Detection Technique - R980
At first glance R980 seems like a typical piece of ransomware, but upon closer inspection it is closer to "scareware" than proper "ransomware". Instead of encrypting a victim's files R980 fills the victim's desktop with randomly named trash files, changes the victim's Desktop image, and drops a ransom note.
We've added IDS signatures and created the following correlation rule to detect this activity:
- System Compromise, Ransomware infection, R980
New Detection Technique - Malware
We've added the following correlation rules due to recent malicious activity:
- System Compromise, Trojan infection, ARIK Keylogger
- System Compromise, Trojan infection, Agentb.jwp
- System Compromise, Trojan infection, Moker
Updated Detection Technique - Exploit Kits
Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.
We've added IDS signatures and updated the following correlation rules to improve exploit kit detection:
- Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
- Exploitation & Installation, Malicious website - Exploit Kit, KaiXin
- Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK
Updated Detection Technique - Remote Access Tools
The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.
We've added IDS signatures and updated correlation rules to detect the following RAT activity:
- System Compromise, Malware RAT, Poison Ivy
- System Compromise, Malware RAT, njRAT
Updated Detection Technique - Malware SSL Certificates
We've added new IDS signatures which include certificates identified by Abuse.ch associated with botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families including:
- System Compromise, C&C Communication, Ursnif SSL activity
Updated Detection Technique - Tor Onion Proxy
Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network.
We've updated the correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.
- Environmental Awareness, Anonymous channel, Tor Onion Proxy
Updated Detection Technique - Malicious TOR .onion domain
.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain.
We've updated a correlation rule that groups different IDS signatures that detect when a system is trying to resolve a malicious onion domain:
- System Compromise, Malware infection, Malicious TOR .onion domain
Updated Detection Technique - Ransomware
Last week we added IDS signatures and updated correlation rules to detect several ransomware families:
- System Compromise, Ransomware infection, Cerber
- System Compromise, Ransomware infection, Pottieq
Updated Correlation Rules
We've updated the following correlation rules due to recent malicious activity:
- Delivery & Attack, Malicious website, Phishing activity
- Delivery & Attack, Malicious website, VBScript Exploit
- Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
- System Compromise, Malware RAT, Poison Ivy
- System Compromise, Malware RAT, Unknown RATSystem Compromise, Malware infection, CoinMiner
- System Compromise, Malware infection, Ursnif
- System Compromise, Malware infection, Zbot
- System Compromise, Targeted Malware, Patchwork
- System Compromise, Targeted Malware, SEDNIT
- System Compromise, Trojan infection, Bagsu
- System Compromise, Trojan infection, Generic trojan dropper
- System Compromise, Trojan infection, Loadmoney
- System Compromise, Trojan infection, OnionDog
- System Compromise, Trojan infection, Sefnit
- System Compromise, Trojan infection, SpyBanker
- System Compromise, Trojan infection, Steam password stealer
- System Compromise, Trojan infection, Swizzor