0861 00 JTWO (5896)

J2 CSC July 31st Weekly Briefing

This week @J2CS:

This week we continue to improve our threat detection correlation rules and update our Threat Intelligence for our Cybersecurity Platform – Let us Be Vigilant and Keep You Safe!

New Detection Technique - ELF_SHELLBIND.A

ELF_SHELLBIND.A is similar to various reports of SambaCry being used in the wild, but it separates itself from the pack due to the fact that it targets several IoT devices of various architectures, such as MIPS, ARM, and PowerPC.

We've added IDS signatures and the following correlation rules to detect this activity:

  • System Compromise, Trojan infection, ELF_SHELLBIND.A

# ELF_SHELLBIND.A


New Detection Technique - NotPetya

NotPetya is a newish piece of ransomware that is suspected of utilizing code from the well know Petya ransomware family. Unlike other copy-cats of Petya, it seems unfinished or broken on purpose because the Salsa key that used to encrypt the MFT cannot be recovered. Once encrypted, data cannot be decrypted, even by the malware authors. NotPetya also has the ability to spread via the use of the EternalBlue vulnerability, the EternalRomance vulnerability and credential theft.

We've added IDS signatures and the following correlation rules to detect this activity:

  • System Compromise, Ransomware infection, NotPetya

#NotPetya #EternalBlue #EternalRomance #Petya


New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild.

We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, Bitshifter
  • System Compromise, Ransomware infection, Shifr
  • System Compromise, Ransomware infection, TeslaWare
  • System Compromise, Ransomware infection, Reyptson

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Erebus
  • System Compromise, Ransomware infection, Filecoder
  • System Compromise, Ransomware infection, TeslaWare
  • System Compromise, Ransomware infection, Torrentlocker

#Bitshifter #Shifr #TeslaWare #Reyptson #Cerber #Erebus #Filecoder #TeslaWare #Torrentlocker


Updated Detection Technique - Chrome WebEx Extension RCE Attempt

A vulnerability discovered in the Cisco WebEx browser extension could potentially allow an unauthenticated remote attacker to execute commands on the affected system.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Chrome WebEx Extension RCE Attempt System Compromise, Trojan infection, MSIL/InstagramAccount

# Chrome WebEx Extension RCE Attempt System Compromise # MSIL/InstagramAccount # Trojan infection


Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine.
This approach is a common attack vector and a major source of infections for end users.
Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Neutrino EK

#Neutrino EK #Exploit Kit #Malicious website


Updated Detection Technique - Sofacy/Sednit/APT28

APT28 continues to be quite active these days, even since its original discovery back in 2014.
We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Trojan infection, APT28 activity

#Sofacy #Sednit #APT28


Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities.

The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Upatre SSL activity

#Malware SSL Certificates #Upatre #Win32/Upatre


Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network.

Many ransomware schemes use these services to receive payments and conduct other malicious activities.

We've updated the correlation rule that will detect when a system is accessing one of these services:

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

#Tor #Onion Proxy


Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, WebServer Attack - SQL Injection, Attack Pattern Detection
  • Environmental Awareness, Sensitive Data - Configuration File, Cisco - Configuration file downloaded via TFTP/SNMP
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash - CVE-2014-0515
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • System Compromise, Adware infection, InstallCore
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, C&C Communication, Response from a DGA Domain
  • System Compromise, Malware RAT, Netwire
  • System Compromise, Malware infection, Alina POS Malware
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Reconyc
  • System Compromise, Trojan infection, Ardamax
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, DarkVNC
  • System Compromise, Trojan infection, Godzilla
  • System Compromise, Trojan infection, Keitaro TDS
  • System Compromise, Trojan infection, Parite
  • System Compromise, Trojan infection, Unk
  • System Compromise, Trojan infection, Unknown PowerShell
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Winnti
  • System Compromise, Trojan infection, Zyklon

#Phishing Activity #SQL Injection #Adobe Flash - CVE-2014-0515 #InstallCore #DGA (Domain Generation Algorithm) #Netwire #Alina POS Malware