Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of September 2017

New Detection Technique - Synology PhotoStation RCE

By chaining together 4 different vulnerabilities, CVE-2017-11151 through CVE-2017-11155, an attacker can gain arbitrary code execution on a vulnerable Synology PhotoStation NAS.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Synology PhotoStation

New Detection Technique - Trojan.MSIL.ProxyChanger.AK

Trojan.MSIL.ProxyChanger.AK is a trojan that primarily targets the Windows platform. This malware modifies the local system proxy and redirects all traffic to an attacker-controlled system.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection,Trojan.MSIL.ProxyChanger.AK 

New Detection Technique - Amnesia

Amnesia is a new variant of the IoT/Linux botnet known as "Tsunami." Amnesia botnet targets an unmatched remote code execution vulnerability in the DVR (digital video recorder) devices made by TVT Digital, which was publicly disclosed over a year ago in March 2016. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise,  Backdoor, Amnesia

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Oiram

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK
  • Delivery & Attack, Malicious website - Exploit Kit, EITest EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, StrongPity SSL activity
  • System Compromise, C&C Communication, Upatre SSL activity

Updated Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added  IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Locky

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Emotet
  • System Compromise, Trojan infection, Bancos
  • System Compromise, Trojan infection, Corebot
  • System Compromise, Trojan infection, Kryptik
  • System Compromise, Trojan infection, MP-FormGrabber
  • System Compromise, Trojan infection, Retefe
  • System Compromise, Trojan infection, SpyBanker
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Worm infection, DELF