• Support
  • Forums
  • Blogs

AlienVault Labs Threat Intelligence Update for USM Appliance: June 24 - June 30, 2018

jkisieliusjkisielius

AlienVault Employee
+9

New Detection Techniques - Bicololo

The Bicololo malware family has been known for a number of years. It modifies a user's /etc/hosts file, redirecting traffic to malicious webpages that could potentially steal the victim's credentials.

In the latest version of the trojan, there are additional exfiltration capabilities, allowing it to send victim's files or task lists to the Command and Control server. The new rules focus on identifying the new exfiltration capabilities.

We've added the following correlation rules to detect Bicololo activity:

  • System Compromise, Trojan infection, Bicololo

Related content in Open Threat Exchange: https://otx.alienvault.com/indicator/file/e83cee14cb76f55064944b0fc0ea8046febab19ac1292ab0320081c774e51f6b

New Detection Techniques - TP-LINK RCE (CVE-2018-11481)

TP-LINK routers are vulnerable to CVE-2018-11481, which allows an attacker to remotely execute commands. The vulnerability consists of a password field allowing the characters ',",},{, which could be used to include commands to be executed inside the password field. Correlation rules have been added to detect this behaviour.

We've added the following correlation rules to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, TP-LINK RCE (CVE-2018-11481)

Related content in Open Threat Exchange: https://otx.alienvault.com/indicator/cve/CVE-2018-11481

New Detection Techniques - Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Mobile trojan infection, Android.SmsPay
  • System Compromise, Mobile trojan infection, Android.SmsPay.H
  • System Compromise, Mobile trojan infection, Android.Stubloan
  • System Compromise, Mobile trojan infection, Android/Generic.Z.8BC5CF!tr
  • System Compromise, Mobile trojan infection, Android/TrojanDropper.Agent.BL
  • System Compromise, Trojan infection, MSIL/Racoon3000
  • System Compromise, Trojan infection, Win32/Agent.ZSZ
  • System Compromise, Trojan infection, Win32/RovnixLoader CnC Checkin
  • System Compromise, Trojan infection, Win32/TechSupportScam

New Detection Techniques - Exploits

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apache CouchDB Remote Code Execution
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, AsusWRT RT-AC750GF Cross-Site Request Forgery
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Ecessa WANWorx WVR-30 Cross-Site Request Forgery
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, HP Enterprise VAN SDN Controller
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Intex Router N-150 Cross-Site Request Forgery
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, TP-LINK RCE (CVE-2018-11481)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, TP-Link Technologies - Command Execution
  • Exploitation & Installation, WebServer Attack, phpLDAPadmin LDAP Injection

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, C&C Communication, Android/SMSreg.ZI Info Exfil
  • System Compromise, C&C Communication, Android/TrojanSMS.Agent
  • System Compromise, C&C Communication, MSIL/Predator Stealer
  • System Compromise, C&C Communication, Win32/Injector.DXZc

Updated Detection Techniques - Wordpress Exploits

The popular blogging platform Wordpress, with its multitude of plugins, continue to show up in the updated exploit detections. Four additional exploit detections were added this week:

  • CVE_2018_10969 allows logged in users of the Pie Register plugin to execute a SQL injection via the invitation codes grid. This SQL injection could potentially lead to remote code execution.
  • CVE_2018_12636 allows logged in users of iThemes Security plugin with Admin privileges to perform a SQL injection via the logs page. This SQL injection could potentially lead to remote code execution.
  • Wordpress users with access to the Contact Form Maker Plugin could exploit this vulnerability to escalate privileges or read/write the database contents. (www.exploit-db.com/exploits/44854/).
  • A vulnerability in Wordpress allowed a tailored request to perform arbitrary file deletions in the server. (www.exploit-db.com/exploits/44949/).

We've updated the following correlation rules to detect this activity:

  • Delivery & Attack, WebServer Attack - CMS, Wordpress

Updated Detection Techniques - Mobile Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Mobile trojan infection, SmsSpy
  • System Compromise, Mobile trojan infection, Asacub.a Banker

Updated Detection Techniques - Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, W32/Kutaki
  • System Compromise, Trojan infection, MalDoc

Updated Correlation Rules

We've updated the following correlation rules as a result of additional recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, WebServer Attack - CMS, Joomla
  • Delivery & Attack, WebServer Attack - CMS, Mambo

Share post:

Sign In or Register to comment.