• Support
  • Forums
  • Blogs

AlienVault Labs Threat Intelligence Update for USM Anywhere: July 8 - July 14, 2018

jkisieliusjkisielius

AlienVault Employee
+11

New Detection Techniques - Drupalgeddon2 Remote Code Execution

A vulnerability affecting Drupal content management systems was released in late March under the CVE-2018-7600, known as Drupalgeddon2. The attackers were sending a POST HTTP request, which leveraged the post_render function in the mail[] array to execute command lines at the operating system level. We are adding additional coverage following from continuing attacks. 

We've updated the following correlation rules to detect this activity:

  • Delivery & Attack, Vulnerable Software Exploitation, Code Execution

Related content in Open Threat Exchange: https://otx.alienvault.com/indicator/cve/CVE-2018-7600

New Detection Techniques - AscentorLoader

A phishing email campaign happening in late June and early July was redirecting infected users to a new version of the GrandSoft Exploit Kit (EK), usually hosted in potentially compromised Russian websites. Once the EK was downloaded, it would leverage CVE-2016-0189 to infect the system. The mentioned vulnerability affects Microsoft JScript 5.8, VBScript 5.7 and 5.8, and could allow remote attackers to execute arbitrary code or produce a denial of service.

The ultimate goal of the malware was to infect the system with GandCrab ransomware.

We have updated the following correlation rule to detect this activity:

  • System Compromise, Malware Infection, Trojan

New Detection Techniques - Xdebug OS Command Execution

Xdebug, the PHP extension for debugging code had a vulnerability released in late 2017, affecting versions 2.5.5 and below. However, it wasn't until earlier this year, May 2018, when the first PoC showed up and a Metasploit module was created. The vulnerability uses the command eval present in Xdebug to execute arbitrary php code as the context of the web user.

The vulnerability was patched in version 2.6, which was released in early December 2017.

We've updated the following correlation rules to detect this activity:

  • Delivery & Attack, Vulnerable Software Exploitation, Code Execution

New Detection Techniques - Microposia Variant

Over the last few weeks, a phishing campaign targeted institutions across the Middle East, pretending to be from Palestinian Political and National Guidance Commission. The phishing email sent to the targets included an attachment of a self-extracting archive containing two files: a Word document and a malicious executable for the Microposia malware variant. The trojan is notable for replacing module names with the names of character or actors from the sitcom "The Big Bang Theory," such as Penny, Wolowitz_Helberg, or Parsons_Sheldon.

We've updated the following correlation rules to detect this activity:

  • System Compromise, Malware Infection, Trojan

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5b432e723c965c3ea81b90f0

New Detection Techniques - Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Malware Infection, Trojan

New Detection Techniques - Exploits

We've updated the following correlation rules as a result of additional recent malicious activity:

  • Delivery & Attack, Vulnerable Software Exploitation, Code Execution
  • Delivery & Attack, Vulnerable Software Exploitation, Credentials Access
  • Delivery & Attack, Vulnerable Software Exploitation, Default Password

New Detection Techniques

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Malware Infection, Trojan

Updated Detection Techniques - Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Malware Infection, Trojan
  • System Compromise, Malware Infection, Malicious SSL Certificate

Updated Detection Technique – Malware SSL Certificates

We've updated the following correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities:

  • System Compromise, Malware Infection, Malicious SSL Certificate

Updated Correlation Rules

We've updated the following correlation rules as a result of additional recent malicious activity:

  • Delivery & Attack, Vulnerable Software Exploitation, Code Execution
  • Delivery & Attack, Malware Infection, Phishing
  • System Compromise, Malware Infection, Malicious Stratum Authline

Share post:

Sign In or Register to comment.