Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of November 2017

New Detection Technique – Exim4 UAF (CVE-2017-16943)

CVE-2017-16943,  is a vulnerability that is found in the receive_msg function. This vulnerability allows unauthenticated remote users the ability to execute arbitrary code or cause a denial of service via a specially crafted BDAT command.

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Exim4 UAF Attempt (BDAT with non-printable chars)

New Detection Technique – DarkNeuron

DarkNeuron is a tool produced by Turla group. It targets MS Windows mail and web servers mainly. It consists in both client and server components, written using .NET framework. The Neuron client infects the victim's endpoint and extracts sensitive information from local machines. The server infects infrastructures as web and mail servers, enhancing the propagation possibilities, and plays the role of local Command & Control server for the client, reducing the need to communicate with the compromised machine and controlling the footprint that the client component activity could produce. Communication between components is based in HTTP and have been shown to emulate legit web servers, like Microsoft Exchange or Microsoft IIS.

We've added IDS signatures and correlation rules to detect the following activity:

  • System Compromise, Trojan infection, DarkNeuron

New Detection Technique – Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, Scarab

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Magniber

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Malware RAT, W32/LTTMoney
  • System Compromise, Trojan infection, Banker SSL activity

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Bingo EK
  • Delivery & Attack, Malicious website - Exploit Kit, GrandSoft EK
  • Delivery & Attack, Malicious website - Exploit Kit, Neutrino EK

Updated Detection Technique -  Linux.Mirai

Linux.Mirai is a malware designed to hijack busybox systems to perform DDoS attacks. It made news in 2016 as the bot used in the DDoS attack on Brian Kreb’s popular security blog. Mirai is known for how easily it can victimize IoT devices. It can generate hundreds of thousands of botnets with the widespread use of telnet and a list of factory-default usernames and passwords for vulnerable IoT devices.

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Linux.Mirai

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, NanoCore

Updated Detection Technique - Netgear DGN Remote Command Execution

An arbitrary remote code execution vulnerability exists in the Netgear N150 Wireless Modem Router DGN Series due to a bug in how "TimeToLive" parameter handles input validation. A specially-crafted packet can result in an attacker having remote command execution.

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Netgear DGN Remote Command Execution

Updated Correlation Rules

We've also updated the following correlation rules as a result of recent malicious activity:

  • Environmental Awareness, Desktop Software - Chat Client, IRC
  • Exploitation & Installation, Weak Configuration - Vulnerable Authentication, Actiontec C1000A backdoor account
  • System Compromise, Backdoor, Bladabindi
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Targeted Malware, Patchwork
  • System Compromise, Trojan infection, Generic PowerShell
  • System Compromise, Trojan infection, Generic Stealer
  • System Compromise, Trojan infection, IRC Bot
  • System Compromise, Trojan infection, Unknown PowerShell