Contact: 087 238 1870

   

J2 CSC September 30th Weekly Briefing

 

This week, threat Intelligence Update for our Cybersecurity Platform –Be Vigilant, Be Informed and Be Safe!

New Detection Technique - Synology PhotoStation RCE

By chaining together 4 different vulnerabilities, CVE-2017-11151 through CVE-2017-11155, an attacker can gain arbitrary code execution on a vulnerable Synology PhotoStation NAS.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Synology PhotoStation

#Synology  #PhotoStation


New Detection Technique - Trojan.MSIL.ProxyChanger.AK 

Trojan.MSIL.ProxyChanger.AK is a trojan that primarily targets the Windows platform.

This malware modifies the local system proxy and redirects all traffic to an attacker-controlled system.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Trojan.MSIL.ProxyChanger.AK

# Trojan.MSIL.ProxyChanger.AK #Trojan infection


New Detection Technique - Amnesia

Amnesia is a new variant of the IoT/Linux botnet known as "Tsunami."

Amnesia botnet targets an unmatched remote code execution vulnerability in the DVR (digital video recorder) devices made by TVT Digital, which was publicly disclosed over a year ago in March 2016. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise,  Backdoor, Amnesia

#Backdoor #Amnesia


New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Oiram

#Oiram #Trojan


Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads."

Undetectable by normal users, these kits are embedded in websites by attackers.

When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine.

This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK
  • Delivery & Attack, Malicious website - Exploit Kit, EITest EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection

#Exploit Kits #Malicious website #RIG EK #EITest EK #Malicious redirection


 Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities.

The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, StrongPity SSL activity
  • System Compromise, C&C Communication, Upatre SSL activity

#Malware SSL Certificates #Known malicious SSL certificate


Updated Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild.

We've added  IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Locky

#Ransomware #Cerber #Locky


Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Emotet
  • System Compromise, Trojan infection, Bancos
  • System Compromise, Trojan infection, Corebot
  • System Compromise, Trojan infection, Kryptik
  • System Compromise, Trojan infection, MP-FormGrabber
  • System Compromise, Trojan infection, Retefe
  • System Compromise, Trojan infection, SpyBanker
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Worm infection, DELF

#Phishing activity #Emotet #Bancos #Corebot #Kryptik #CoinMiner #MP-FormGrabber #Retefe #SpyBanker #DELF