J2 CSC July 24th Weekly Briefing
This week we cover a number of “new” threats and detection and correlation rule updates to our Threat Intelligence for our Cybersecurity Platform – Let us Be Vigilant and Keep You Safe!
New Detection Technique - LockPOS
LockPoS is a new point-of-sale malware being distributed by botnets, which previously spread FlokiBot. Flokibot and LockPoS both share a common C2 host, so it is likely the same threat actor controls them. LockPoS’s credit card stealing functionality works similarly to other PoS malware: it scans the memory of other running programs looking for data that matches what credit card track data looks like.
We've added IDS signatures and the following correlation rules to detect this activity:
- System Compromise, Trojan infection, LockPOS
- System Compromise, C&C Communication, LockPOS SSL activity
#LockPOS
New Detection Technique - Apache Struts Showcase App RCE S2-048 RCE (CVE-2017-9791)
A remote code execution vulnerability, CVE-2017-9791, has been disclosed in a Apache Struts plugin that allows developers to use existing Struts 1 Actions and ActionForms in Struts 2 web applications. CVE-2017-9791 (covered in S2-048) also uses OGNL expressions for Remote Code Execution.
We've added IDS signatures and the following correlation rules to detect this activity:
- Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apache Struts Showcase App RCE S2-048 RCE (CVE-2017-9791)
#RCE S2-048 RCE (CVE-2017-9791)
Microsoft/Adobe Patch Tuesday
This week's updates include Microsoft/Adobe's Patch Tuesday content. Adobe and Microsoft fixed multiple vulnerabilities in their products.
We've added IDS signatures and correlation rules to detect the following activity:
- Exploitation & Installation, Client Side Exploit - Known Vulnerability, Action Script 2 BitmapData OOB (CVE-2017-3100)
- Exploitation & Installation, Client Side Exploit - Known Vulnerability, IE11 Type Confusion Vuln (CVE-2017-8524)
- Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS Edge Chakra Core Type Confusion Vuln (CVE-2017-8601)
- Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS Edge Out-of-Bounds Write Vuln (CVE-2017-8619)
- Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS Edge Type Confusion Vuln (CVE-2017-8617)
- Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS Edge Uninitialized Memory Vuln (CVE-2017-8598)
- Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS Edge Use-After-Free Vuln (CVE-2017-8605)
- Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS Word Memory Corruption Vuln (CVE-2017-0243)
#Microsoft/Adobe Patch Tuesday
New Detection Technique - Ransomware
In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:
- System Compromise, Ransomware infection, Fenrir
- System Compromise, Ransomware infection, Nemesis
- System Compromise, Ransomware infection, Striked
We also added IDS signatures and updated correlation rules to better detect the following ransomware families:
- System Compromise, Ransomware infection, Cerber
- System Compromise, Ransomware infection, Poshcoder
#Fenrir #Nemesis #Striked #Cerber #Poshcoder
New Detection Techniques
We've added the following correlation rules as a result of additional recent malicious activity:
- System Compromise, Trojan infection, MSIL/SkyNet
- System Compromise, Trojan infection, vjw0rm
- System Compromise, Trojan infection, Volk-Botnet
- System Compromise, Trojan infection, Winnti
# MSIL/SkyNet # vjw0rm # Volk-Botnet # Winnti
Updated Detection Technique - Equation Group Leaks
Shadow Brokers has leaked more of the Equation Group's hacking tools stolen from the NSA.
The four-year-old exploits attempt to hijack critical Microsoft Windows systems, from Windows 2000 up to Server 2012 and Windows 7 and 8. The leaked files range from Windows exploits to tools for monitoring SWIFT interbank payments.
We've added IDS signatures and the following correlation rules to detect the exploit activity from these tools:
- Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible MS17-010
#Shadow Brokers #NSA #SWIFT #MS17-010
Updated Detection Technique - Exploit Kits
Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When some browses goto a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.
We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:
- Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
- Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
#Malicious redirection #Sundown EK
Updated Detection Technique - Sofacy/Sednit/APT28
In October 2014, a report was published about a threat actor that they named APT28. ATP28 continues to be active today.
We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters.
Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.
We've added IDS signatures and modified the following correlation rule to detect APT28 activity:
- System Compromise, Trojan infection, APT28 activity
#Sofacy #Sednit #APT28
Updated Detection Technique - Malware SSL Certificates
We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities.
The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:
- System Compromise, C&C Communication, Known malicious SSL certificate
- System Compromise, C&C Communication, Panda Banker SSL activity
#Malware SSL Certificates # CryptoWall #TeslaCrypt #TorrentLocker #PadCrypt #Locky #CTB-Locker #FAKBEN
Updated Correlation Rules
We've updated the following correlation rules as a result of recent malicious activity:
- Delivery & Attack, Malicious website, Phishing activity
- System Compromise, C&C Communication, Query to a DGA Domain
- System Compromise, Malware infection, CoinMiner
- System Compromise, Targeted Malware, APT Cmstar
- System Compromise, Targeted Malware, Monsoon Tinytyphon
- System Compromise, Trojan infection, AgentTesla
- System Compromise, Trojan infection, Andromeda
- System Compromise, Trojan infection, Keitaro TDS
- System Compromise, Trojan infection, Quant Loader
- System Compromise, Trojan infection, Unk
- System Compromise, Trojan infection, Unknown trojan
#Phishing activity #DGA Domain #CoinMiner #APT Cmstar #Monsoon Tinytyphon #Agent Tesla #Andromeda #Keitaro TDS #Quant Loader #Unk #Unknown trojan
- Hits: 1045