Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 5th week of April 2018

New Detection Technique – GPON Authentication Bypass (CVE-2018-10561)

This GPON vulnerability was publicly announced on May 3. It affects GPON routers and allows an attacker to bypass authentication and consequently perform Remote Code Execution via HTTP requests to the router. The HTTP requests only need to have '?images/' appended at the end of the URI to avoid authentication in the vulnerable system and take control of the router.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, GPON Authentication Bypass Attempt (CVE-2018-10561)

New Detection Technique – DNN DNNPersonalization Cookie RCE Attempt (CVE-2017-9822)

This vulnerability affects DotNetNuke (DNN) software versions prior to 9.1.1. The exploit allows privilege escalation, granting Remote Code Execution through a particular setting of the DNNPersonalization value in the cookie. Despite the existence and awareness of the vulnerability, no exploits or Proof of Concept (POC) have been identified or made public.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, WebServer Attack, DNN DNNPersonalization Cookie RCE Attempt (CVE-2017-9822)

New Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Celebi.A
  • System Compromise, Trojan infection, Unk.BrowserHijacker
  • System Compromise, Trojan infection, sLoad

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Malware infection, Atshz.A
  • System Compromise, Malware infection, PUP/WifiProtector

Updated Detection Technique – Blackmoon

Blackmoon Banking Malware, also known as KRBanker, has been seen since at least 2014. The hacking group behind Blackmoon has changed their methodologies to attack banks in South Korea; according to Fidelis, these include Samsung Pay, Citibank Korea, Hana Financial Group, and KB Financial Group. The malware is delivered through a phishing attack, which includes a malicious attachment with a downloader for the actual malware. As a preventive measure, the malware identifies the default language of the system, to ensure it's attacking a Korean system, and then proceeds to infect the system.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Malware infection, Blackmoon

Updated Detection Technique - Remote Access Tools

This attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine.

We've added the following correlation rule to detect this activity:

  • System Compromise, Malware RAT, QRat.Java.RAT

Updated Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, Chthonic
  • System Compromise, Trojan infection, ExtenBro
  • System Compromise, Trojan infection, MalDoc
  • System Compromise, Trojan infection, RedLeaves
  • System Compromise, Trojan infection, Zeus
  • System Compromise, Trojan infection, Zusy

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, GreenFlash SunDown EK Payload March 9 2018
  • System Compromise, Adware infection, InstallCore
  • System Compromise, C&C Communication, Cobalt Group
  • System Compromise, C&C Communication, Cobalt Group SSL
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Observed Malicious SSL Cert (MalDoc DL) SSL activity
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, C&C Communication, Ursnif SSL activity
  • System Compromise, C&C Communication, Zeus Panda SSL Certificate
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Mobile trojan infection, Asacub.a Banker
  • System Compromise, Ransomware infection, Troldesh