• Support
  • Forums
  • Blogs

AlienVault Labs Threat Intelligence Update for USM Appliance: December 31, 2017 - January 6, 2018

jkisieliusjkisielius

Little green alien
+4

New Detection Technique – Known Vulnerability, Weblogic XMLDecoder RCE (CVE-2017-10271)

This is a known vulnerability of Oracle Fusion Middleware; specifically in the Oracle WebLogic Server module. A successful attacker can compromise the Oracle WebLogic Server.

The vulnerability allows remote code execution in the WSAT endpoint thanks to a flaw in the deserialization of encoded Java objects. The payload will contain a crafted Java object with arbitrary code.

We've updated the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Weblogic XMLDecoder RCE (CVE-2017-10271)

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5a4e1c4993199b299f90a212

New Detection Technique – MedusaHTTP

MedusaHTTP is the name of a bot network appearing in early 2017, written in .NET and designed to perform DDoS attacks. It is an evolution of an IRC based botnet called MedusaIRC. The botnet uses HTTP communications for command and control and is typically delivered via the Rig Exploit Kit.

The initial connection of MedusaHTTP is a POST request with a static user agent sent to C&C server. It contains information about the infected machine and waits for instructions. It is a capable DDoS bot and includes TCP and UDP flooding methods.

We've updated the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, MedusaHTTP

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5a3dd57e0faf50552e9f9223

New Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Cybergate/Rebhip/Spyrat/Win32.Poison
  • System Compromise, Trojan infection, iSpy Keylogger
  • System Compromise, Trojan infection, MSIL/Bancos
  • System Compromise, Trojan infection, NepaCollector
  • System Compromise, Trojan infection, Oilrig
  • System Compromise, Trojan infection, Python Monero
  • System Compromise, Trojan infection, Qasar Variant
  • System Compromise, Trojan infection, Sharik/Smoke
  • System Compromise, Trojan infection, Win32/ChaseBrute
  • System Compromise, Trojan infection, Win32/CoinMining
  • System Compromise, Trojan infection, Xtrat/XtremeRAT

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Delivery & Attack, Client Side Exploit - Known Vulnerability, Spectre Kernel Memory Leakage
  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, WebServer Attack - SQL Injection, TDS SQL Batch Outbound
  • Delivery & Attack, Suspicious File, Windows Executable Inbound via TDS
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, Malware infection, CoinMiner

Updated Detection Technique – Kazy

The Kazy name refers to a number of related malware downloaders. It is usually delivered in GIF images and executable packages. It first appeared in 2010, and today most of its versions are easily detectable by any antivirus. Often, the final payload is used to send spam email targeting online bank accounts. It is a dropper trojan containing malware such as spyware, remote access tools and keyloggers.

The best way to prevent this trojan from infecting a machine is to follow safe browsing practices such as downloading installable files only from legitimate sources, and not opening attatchments from unkown senders.

We've updated the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Win32.Kazy

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5a56019b49cace55f8249929

Updated Detection Technique – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Crimson
  • System Compromise, Trojan infection, Xtrat/XtremeRAT
  • System Compromise, Trojan, Babylon
  • System Compromise, Trojan, CoinMiner

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Backdoor, DGA
  • System Compromise, C&C Communication, Metasploit Meterpreter Reverse HTTPS certificate
chozian-DTI

Share post:

Sign In or Register to comment.