• Support
  • Forums
  • Blogs

AlienVault Labs Threat Intelligence Update for USM Appliance: July 1 - July 7, 2018

jkisieliusjkisielius

AlienVault Employee
+11

New Detection Techniques - Nagios XI Vulnerabilities

A malicious script recently published in Exploit DB makes use of several Nagios XI software vulnerablities leading to a chained remote code execution. The set of vulnerabilities include:

  1. CVE-2018-8733: authentication bypass vulnerability in the config manager allowing an attacker to bypass. The vulnerability is located in the core config manager.
  2. CVE-2018-8734: SQL injection vulnerability in the core config manager. It allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.
  3. CVE-2018-8735: OS command injection vulnerability that allos an attacker to execute code in the remote machine (RCE).
  4. CVE-2018-8736: privilege escalation vulernability that will provide root permissions after the RCE.

These vulnerabilities apply to Nagios XI 5.2.x through 5.4.x before 5.4.13.

We've added the following correlation rules to detect the exploit activity:

  • Exploitation & Installation, WebServer Attack - SQL Injection, Nagios XI SQL Injection
  • Exploitation & Installation, WebServer Attack, Nagios XI Adding Administrative User
  • Exploitation & Installation, WebServer Attack, Nagios XI Remote Code Execution
  • Exploitation & Installation, WebServer Attack, Nagios XI Set DB User Root

Related content in Open Threat Exchange: https://otx.alienvault.com/indicator/cve/CVE-2018-8735

New Detection Techniques - Cisco ASA Path Traversal

This vulnerability, identified as CVE-2018-0296, affects the Cisco ASA software and Cisco Firepower Threat Defense (FTD) software installed in several Cisco devices. It allows an attacker to access sensitive information stored in directories in the server that they should not be allowed to access, thanks to the path traversal disclosure.

The exploit script is publicly available on GitHub. Its author ensures it will retrieve the contents of the current directory, files in the web portal directory, and active sessions in a text file. They also warn about a possible denial of service situation after the attack.

We've added the following correlation rule to detect Cisco ASA Path Traversal activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Cisco Adaptive Security Appliance - Path Traversal

Related content in Open Threat Exchange: https://otx.alienvault.com/indicator/cve/CVE-2018-0296

New Detection Techniques - Nozelesn

Nozelesn is the name of a new ransomware recently detected and reported by MalwareHunterTeam, after they noticed multiple ransomware submissions from Poland. Apparently, it's being delivered through a spam campaign.

This ransomware will apply ".nozelesn" extension to all encrypted files, and provide instructions about how to login into the "Nozelesn decryption cabinet," a hidden payment server at an onion address. The current ransom is set at 0.10 bitcoins, although we still don't know the total amount collected by the attackers.

We've added the following correlation rules to detect Nozelesn activity:

  • System Compromise, Ransomware infection, Nozelesn Ransomware

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5b45c4a2ac187c574b86e77d

New Detection Techniques - Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Trojan.Agent.DAQC
  • System Compromise, Trojan infection, Win/Meta Implant
  • System Compromise, Trojan infection, Win32/Vigorf.A

New Detection Techniques - Exploits

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, ADB Broadband Authorization Bypass
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, CloudMe Sync Buffer Overflow
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, CMS Made Simple Remote Code Execution
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, DAMICMS Cross-Site Request Forgery
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Dolibarr ERP CRM PHP Code Injection
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, DynoRoot DHCP - Client Command Injection
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, FTPShell client Stack Buffer Overflow
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Geutebruck RCE
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, ManageEngine Exchange Reporter Plus Remote Code Execution
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, ntop-ng Authentication Bypass
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Online Trade - Information Disclosure
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, ShopNx - Arbitrary File Upload
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, SoftExpert Excellence Suite 2.0 SQL Injection
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, TP-Link TL-WR840N/TL-WR841N - Authentication Bypass
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, VMware NSX SD-WAN Command Injection

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Backdoor, Backdoor.AndroidOS.GinMaster.b
  • System Compromise, C&C Communication, Kardon Loader
  • System Compromise, Malicious Download, Brazilian Downloader
  • System Compromise, Mobile trojan infection, Android.Riskware.Drolock.AH
  • System Compromise, Ransomware infection, Paradise Ransomware

Updated Detection Techniques - Mobile Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Mobile trojan infection, Android.SmsPay
  • System Compromise, Mobile trojan infection, Android/TrojanDropper.Shedun.V
  • System Compromise, Mobile trojan infection, Asacub.a Banker

Updated Detection Techniques - Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Spyware infection, Mirage
  • System Compromise, Trojan infection, CobaltStrike
  • System Compromise, Trojan infection, Keitaro TDS
  • System Compromise, Trojan infection, MalDoc
  • System Compromise, Trojan infection, MSIL/Supreme Miner
  • System Compromise, Trojan infection, Unk
  • System Compromise, Trojan infection, Win32/RovnixLoader

Updated Detection Technique – Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Chthonic SSL activity
  • System Compromise, C&C Communication, Observed Malicious SSL Cert (MalDoc DL) SSL activity
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, C&C Communication, Zeus Panda SSL Certificate

Updated Correlation Rules

We've updated the following correlation rules as a result of additional recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, WebServer Attack - CMS, Wordpress
  • Environmental Awareness, Suspicious Behaviour, Temporary Account Created
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, D-LINK Router DSL-2750B RCE
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware RAT, Babylon RAT
  • System Compromise, Malware RAT, Remcos/Remvio
  • System Compromise, Ransomware infection, GandCrab
sdsponger

Share post:

Sign In or Register to comment.