Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of May 2018

New Detection Technique - DHCP WPAD option Command Injection (CVE-2018-1111)

A new vulnerability was released in late May, for the DHCP client packages in Red Hat Enterprise Linux systems (CVE-2018-1111), particularly the NetworkManager integration script. The exploit leverages the WPAD option in a DHCP server, including the command to be executed in the option details. The proof of concept fits in a single tweet (https://twitter.com/Barknkilic/status/996470756283486209). 

Red Hat has already address the vulnerability and encourages customers to update their systems. 

We've added IDS signatures and the following correlation rule to detect this activity: 

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, DHCP Client Script WPAD option OS Command Injection (CVE-2018-1111)

New Detection Technique - mySCADA myPRO v7 Exploits (CVE-2017-11517) and (CVE-2018-11311)

MySCADA myPRO, which enables the visualization and control of industrial processes, had two vulnerabilities addressed during the past week:

  • CVE-2017-11517: Allowed to scan the system and identify the existing projects in the system through brute force, to subsequently attempt to access them.
  • CVE-2018-11311: Consists of a Hardcoded FTP Username and Password, which would allow access with the default credentials even after they have been changed. 

We've added IDS signatures and the following correlation rule to detect this activity: 

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, mySCADA myPRO v7 Exploit (CVE-2017-11517) and (CVE-2018-11311)

New Detection Techniques - Mobile Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Mobile trojan infection, Android/TeleRAT
  • System Compromise, Mobile trojan infection, Trojan.AndroidOS.WitchCat

New Detection Techniques - Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, APT10 MenuPass
  • System Compromise, Trojan infection, Avkill Variant
  • System Compromise, Trojan infection, MSIL/FakeZeus
  • System Compromise, Trojan infection, QuadAgent
  • System Compromise, Trojan infection, Sysffic
  • System Compromise, Trojan infection, W32/NaverDown
  • System Compromise, Trojan infection, Win32.DanaBot
  • System Compromise, Trojan infection, Win32/Occamy

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Nanopool Claymore Dual Miner RCE
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, RIG EK DoubleKill IE/VBScript Engine RCE (CVE-2018-8174)
  • Exploitation & Installation, Service Exploit, HUMAX WiFi Router Disclosure Request
  • System Compromise, Ransomware infection, Aurora/OneKeyLocker

Updated Detection Technique - Remcos/Remvio

Remcos/Remvio is a Remote Access Trojan (RAT) that has been sold on the hacker underground and the Breaking Security website (which claims to be an ethical hacking company and cybersecurity researcher) for over a year. In addition to common RAT features, Remcos/Remvio has the ability to create “automation” tasks, which give the malicious actor the potential to exfiltrate data without having to login and do it manually. Breaking Security periodically updates the features and capabilities of their product, which is commonly used in malware campaigns against their will. 

We've added IDS signatures and the following correlation rule to detect this activity: 

  • System Compromise, Malware RAT, Remcos/Remvio

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Cobalt Group SSL
  • System Compromise, C&C Communication, Meterpreter SSL Certificate
  • System Compromise, C&C Communication, Observed Malicious SSL Cert (MalDoc DL) SSL activity
  • System Compromise, C&C Communication, Ursnif SSL activity

Updated Detection Techniques - Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, AZORult
  • System Compromise, Trojan infection, Bateleur
  • System Compromise, Trojan infection, Generic PowerShell

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Response from malware sinkhole
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Mobile trojan infection, Asacub.a Banker
  • System Compromise, Worm infection, Phorpiex