0861 00 JTWO (5896)

J2 CSC July 18th Weekly Briefing

This week we cover a number of detection and correlation rule updates to our Threat Intelligence for our Cybersecurity Platform – Let us Be Vigilant and Keep You Safe!

New Detection Technique - Sakurel

Sakurel is a trojan that, after compromising a host, will open a back door and potentially download and execute malicious files.
We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Sakurel

#Sakurel


New Detection Technique - Symantec Messaging Gateway RCE attempt

A remote command injection vulnerability exists due to the lack of input sanitation of the ''path" parameter of the /brightmail/admin/backup/backupNow.do service. Specially-crafted packets can lead to an attacker being able to gain code execution.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Symantec Messaging Gateway RCE attempt.

#RCE Attempt


New Detection Technique - Ransomware

A new variant of Petya, while sharing some similar code, is more sophisticated in its lateral movement techniques than the original.
The malware utilizes credential theft, the EternalBlue exploit, and EternalRomance exploits in order to spread.

  • System Compromise, Ransomware infection, Petya

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Filecoder
  • System Compromise, Ransomware infection, Locky

#Cerber #Filecoder #Locky


New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Backdoor, DoublePulsar

# Backdoor #DoublePulsar


Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities.

The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate.

#C&C #SSL


Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, C&C Communication, Response from a DGA Domain
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, Neshta
  • System Compromise, Trojan infection, TeleBots
  • System Compromise, Trojan infection, Unknown PowerShell

#CoinMiner #Generic #Banload #Bitcoin Miner #Neshta #TeleBots #Unknown PowerShell

Print Email