• Support
  • Forums
  • Blogs

AlienVault Labs Threat Intelligence Update for USM Anywhere: June 4 - June 10, 2017


AlienVault Employee

New Detection Technique - PLATINUM

PLATINUM is an APT actor that has been known to target South and Southeast Asian companies of various industries, originally discovered in April 2016. Since then, an updated tool linked to the group has been discovered that utilizes the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for communication. Until this incident, no malware had been discovered misusing the AMT SOL feature for communication.

We've updated the 'Malware Infection – Trojan' correlation rule to detect PLATINUM activity.

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/571fd2f1c1492d015c14c449/

New Detection Technique - APT19

APT19 is a group composed of freelancers, with some degree of Chinese government sponsorship, that has been observed running a phishing campaign which targets at least seven global investment and law firms. They have used various techniques in order to attempt to compromise targets, such as malicious RTFs and macro-enabled excel documents. 

We've updated the 'Malware Infection – APT' correlation rule to detect APT19 activity.

Related content in the Open Threat Exchange: https://otx.alienvault.com/pulse/5937358f2ea86b08b86e5063/

New Detection Technique - Fireball

Fireball is a piece of malware that targets browsers that has two primary functions, which include the ability to run code on the victim's computer and the manipulation of the user's web browsers to generate ad-revenue. Currently Fireball installs browser plugins and additional configurations in order to increase its advertisements, but it could easily be used to distribute malware. Fireball has infected over 250 million computers worldwide, up to 20% of which are in corporate networks.

We've updated the 'Malware Infection – Remote Access Trojan' correlation rule to detect Fireball activity.

Related content in the Open Threat Exchange: https://otx.alienvault.com/pulse/5930f58caf847d734e2fe5bc/

New Detection Technique - WiMAX Authentication Bypass (CVE-2017-3216)

Due to a vulnerability, located in commit2.cgi implemented in libmtk_httpd_plugin.so, various WiMAX devices are vulnerable to an authentication bypass. This vulnerability results in attacker being able to set arbitrary configuration values without prior authentication. 

We've updated the 'Exploit – Authentication Bypass' correlation rule to detect WiMAX Authentication Bypass activity.

New Detection Technique - Informix Dynamic Server Vulnerabilities 

Informix Dynamic Server and the Informix Open Admin Tool recently patched a number of vulnerabilities ranging from heap overflows to php injections. If left unpatched, these vulnerabilities could result in a remote attacker having command execution on the systems. 

We've updated the 'Exploit – Web Attack - Code Execution' correlation rule to detect Informix Dynamic Server activity.

New Detection Technique - Hadoop RCE

Due to a "feature" in Hadoop, an unauthenticated attacker has the ability to pass arbitrary input to MapReduce in the form of the command to be executed.

We've updated the 'Exploit – Code Execution' correlation rule to detect Hadoop Command Execution activity.

New Detection Technique - icmpsh

icmpsh is a tool that enables an attacker to exfiltrate data covertly utilizing the ICMP protocol. 

We've updated the 'Suspicious Activity – Shell banner' correlation rule to detect icmpsh activity.

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've updated the 'Malware Infection – Ransomware' correlation rule to detect new Ransomware activity, including Executioner and Hidden-Tear.

New Detection Techniques

We've updated the 'Malware Infection – Trojan' and 'Malware Infection – Remote Access Trojan' correlation rules to detect additional recent malicious activity.

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've updated the ‘Exploit Kit – EK Payload Delivered’ correlation rule to better detect this activity.

Updated Detection Technique - Malware SSL Certificates

We've updated the ‘Malware Infection - Malicious SSL Certificate’ correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families.

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine. We've updated the ‘Malware Infection - Remote Access Trojan’ correlation rule to detect the exploit activity from these tools.

Updated Correlation Rules

Additional correlation rules were updated as a result of recent malicious activity.


Share post:

Sign In or Register to comment.