J2 CSC June 20th Weekly Briefing
This week we cover a number of detection and correlation rule updates to our Threat Intelligence for our Cybersecurity Platform – Let us Be Vigilant -and Keep You Safe!
New Detection Technique - PLATINUM
PLATINUM is an APT actor that has been known to target South and Southeast Asian companies of various industries, originally discovered in April 2016. Since then, an updated tool linked to the group has been discovered that utilizes the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for communication. Until this incident, no malware had been discovered misusing the AMT SOL feature for communication.
We've added IDS signatures and the following correlation rule to detect this activity:
System Compromise, Trojan infection, PLATINUM
#PLATINUM #IDS
New Detection Technique - APT19
APT19 is a group composed of freelancers, with some degree of Chinese government sponsorship, that has been observed running a phishing campaign which targets at least seven global investment and law firms. They have used various techniques in order to attempt to compromise targets, such as malicious RTFs and macro-enabled excel documents.
We've added IDS signatures and the following correlation rule to detect this activity:
System Compromise, Targeted Malware, APT19
#APT19 #IDS
New Detection Technique - Fireball
Fireball is a piece of malware that targets browsers that has two primary functions, which include the ability to run code on the victim's computer and the manipulation of the user's web browsers to generate ad-revenue. Currently Fireball installs browser plugins and additional configurations in order to increase its advertisements, but it could easily be used to distribute malware. Fireball has infected over 250 million computers worldwide, up to 20% of which are in corporate networks.
We've added IDS signatures and the following correlation rule to detect this activity:
System Compromise, Malware RAT, Fireball
#Fireball #IDS
New Detection Technique - WiMAX Authentication Bypass (CVE-2017-3216)
Due to a vulnerability, located in commit2.cgi implemented in libmtk_httpd_plugin.so, various WiMAX devices are vulnerable to an authentication bypass.
This vulnerability results in an attacker being able to set arbitrary configuration values without prior authentication.
We've added IDS signatures and the following correlation rule to detect this activity:
Exploitation & Installation, Client Side Exploit - Known Vulnerability, WiMAX Authentication Bypass (CVE-2017-3216)
#WiMAX #IDS
New Detection Technique - Informix Dynamic Server Vulnerabilities
Informix Dynamic Server and the Informix Open Admin Tool recently patched a number of vulnerabilities ranging from heap overflows to php injections. If left unpatched, these vulnerabilities could result in a remote attacker having command execution on the systems.
We've added IDS signatures and the following correlation rule to detect this activity:
Exploitation & Installation, Client Side Exploit - Known Vulnerability, IBM Informix Dynamic Server Developer Heap Overflow
Exploitation & Installation, Client Side Exploit - Known Vulnerability, IBM Informix Dynamic Server Developer PHP Injection RCE
#PHP #IDS
New Detection Technique - Hadoop RCE
Due to a "feature" in Hadoop, an unauthenticated attacker has the ability to pass arbitrary input to MapReduce in the form of the command to be executed.
We've added IDS signatures and the following correlation rule to detect this activity:
Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Hadoop Command Injection Attempt
#Hardoop RCE #IDS
New Detection Technique - icmpsh
icmpsh is a tool that enables an attacker to exfiltrate data covertly utilizing the ICMP protocol.
We've added IDS signatures and the following correlation rule to detect this activity:
Environmental Awareness, Covert channel, icmpsh
#icmpsh #IDS
New Detection Technique - Ransomware
In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:
System Compromise, Ransomware infection, Executioner
We also added IDS signatures and updated correlation rules to better detect the following ransomware families:
System Compromise, Ransomware infection, Hidden-Tear
#Ransomware #IDS
New Detection Techniques
We've added the following correlation rules as a result of additional recent malicious activity:
Exploitation & Installation, Weak Configuration - Unauthenticated Access, OTRS Installation Dialog (after auth) attempt
System Compromise, Trojan infection, Hana
System Compromise, Trojan infection, Patpoopy
System Compromise, Trojan infection, Squiblydoo Scriptlet Download
System Compromise, Malware RAT, ColorFish
#Techniques #IDS
Updated Detection Technique - Exploit Kits
Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.
We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:
Delivery & Attack, Malicious website - Exploit Kit, EITest EK
Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
Exploitation & Installation, Malicious website - Exploit Kit, RIG EK
#Exploit Kits #IDS
Updated Detection Technique - Malware SSL Certificates
We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:
System Compromise, C&C Communication, Known malicious SSL certificate
# Malware SSL Certificates #IDS
Updated Detection Technique - Remote Access Tools
The typical attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine.
We've added IDS signatures and updated correlation rules to detect the following RAT activity:
System Compromise, Malware RAT, Unknown RAT
#RAT #IDS
Updated Correlation Rules
We've updated the following correlation rules as a result of recent malicious activity:
Delivery & Attack, Malicious website, Phishing activity
Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
System Compromise, Trojan infection, Banload
System Compromise, Trojan infection, Bitcoin Miner
System Compromise, Trojan infection, Bunitu
System Compromise, Trojan infection, Carbanak
System Compromise, Trojan infection, MSIL/IRCBot
System Compromise, Trojan infection, Neshta
System Compromise, Trojan infection, Qakbot
System Compromise, Trojan infection, Stimilik
System Compromise, Trojan infection, Unk
System Compromise, Trojan infection, Unknown trojan
#Correlation Rules #IDS
- Hits: 1071