• Support
  • Forums
  • Blogs

AlienVault Labs Threat Intelligence Update for USM Anywhere: June 24 - June 30, 2018

jkisieliusjkisielius

AlienVault Employee
+9

New Detection Techniques - Bicololo

The Bicololo malware family has been known for a number of years. It modifies a user's /etc/hosts file, redirecting traffic to malicious webpages that could potentially steal the victim's credentials.

In the latest version of the trojan, there are additional exfiltration capabilities, allowing it to send victim's files or task lists to the Command and Control server. The new rules focus on identifying the new exfiltration capabilities.

We've updated the following correlation rules to detect Bicololo activity:

  • System Compromise, Malware Infection, Trojan

Related content in Open Threat Exchange: https://otx.alienvault.com/indicator/file/e83cee14cb76f55064944b0fc0ea8046febab19ac1292ab0320081c774e51f6b

New Detection Techniques - TP-LINK RCE (CVE-2018-11481)

TP-LINK routers are vulnerable to CVE-2018-11481, which allows an attacker to remotely execute commands. The vulnerability consists of a password field allowing the characters ',",},{, which could be used to include commands to be executed inside the password field. Correlation rules have been added to detect this behaviour.

We've updated the following correlation rules to detect this activity:

  • Delivery & Attack, Vulnerable Software Exploitation, Code Execution

Related content in Open Threat Exchange: https://otx.alienvault.com/indicator/cve/CVE-2018-11481

New Detection Techniques - Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Malware Infection, Trojan
  • System Compromise, C&C Communication, Malware Beaconing to C&C

New Detection Techniques - Exploits

We've updated the following correlation rules as a result of additional recent malicious activity:

  • Delivery & Attack, Vulnerable Software Exploitation, Code Execution
  • Delivery & Attack, WebServer Attack, Arbitrary File Deletion

New Detection Techniques

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, C&C Communication, Malware Beaconing to C&C
  • System Compromise, C&C Communication, Exfiltration

Updated Detection Techniques - Wordpress Exploits

The popular blogging platform Wordpress, with its multitude of plugins, continue to show up in the updated exploit detections. Four additional exploit detections were added this week:

  • CVE_2018_10969 allows logged in users of the Pie Register plugin to execute a SQL injection via the invitation codes grid. This SQL injection could potentially lead to remote code execution.
  • CVE_2018_12636 allows logged in users of iThemes Security plugin with Admin privileges to perform a SQL injection via the logs page. This SQL injection could potentially lead to remote code execution.
  • Wordpress users with access to the Contact Form Maker Plugin could exploit this vulnerability to escalate privileges or read/write the database contents. (www.exploit-db.com/exploits/44854/).
  • A vulnerability in Wordpress allowed a tailored request to perform arbitrary file deletions in the server. (www.exploit-db.com/exploits/44949/).

We've updated the following correlation rules to detect this activity:

  • Delivery & Attack, Web Server Attack - SQL Injection, Attack Pattern Detection
  • Delivery & Attack, WebServer Attack, Arbitrary File Deletion

Updated Detection Techniques - Mobile Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity, including SmsSpy and Asacub.a Banker:

  • System Compromise, C&C Communication, Malware Beaconing to C&C
  • System Compromise, Malware Infection, Trojan

Updated Detection Techniques - Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity, including W32/Kutaki and MalDoc:

  • System Compromise, Malware Infection, Trojan
  • System Compromise, Malware Infection, Malicious SSL Certificate

Updated Correlation Rules

We've updated the following correlation rules as a result of additional recent malicious activity:

  • Delivery & Attack, Malware Infection, Phishing
  • Delivery & Attack, WebServer Attack, Arbitrary File Deletion
  • Delivery & Attack, Web Server Attack - SQL Injection, Attack Pattern Detection

Share post:

Sign In or Register to comment.