Community Review - February 23, 2024

Greetings all, we’re back with another community update! The Emerging Threats Open ruleset is researched, written, tested, and released by the ET team based on public disclosures, writeups, and kind tags and shares by our community. Lets look at a few!

Lets start with this from @rivitna2, SID 2050809 alerts on #Synapse #Ransomware infection checkin - the content in the body of the HTTP request for the outbound POST from the tweet made it happen!

From @malwrhunterteam’s identified hash allowed us to analyze the detonation and write a TLS SNI signature on the session connection observed - that’s SID 2050805:

Friend @viriback shared to our community #discord (DM for an invite!) a Hatching sandbox run for #MalwareAsAService #BunnyLoader 3.0 traffic - analysis rendered out so much activity to sig, including the check-in (2050885), response (2050886), client heartbeat out (2050887), heartbeat response (2050888), client tasking checkin (2050889), response from the controller (2050890), and other traffic allowing for comprehensive coverage!

Here’s @suyogi41 sharing #ElusiveStealer and another case of using #telegram to C2 - SID 2051071 alerts on that outbound traffic keying on an identified content byte pattern:

It’s an #exploit world out there with seemingly a new CVE or disclosure every day. Here at ET we do our best to provide coverage for your information assets - this comes from analyzing writeups, PoCs, and doing our own internal testing and honeypot analysis in order to best deliver for our customers and the community.

We released multiple signatures to cover different scenarios for #CVE_2024_1708 & #CVE_2024_1709 for #ConnectWise #ScreenConnect. Simply by adding a / to the end of the setupwizard URI it can be invoked even if it has already been completed–allowing for creation of a new admin account. SID 2050988 covers those attempts and 2050989 a successful exploitation. SID 2050990 identifies vulnerable versions of ConnectWise within your monitored environment, and 2050991-2050992 an attempt and success of a user creation action via SetupWizard via this auth bypass.

Here at our skilled #Discourse community at - we answer questions, provide some rule writing tips, maintain a FAQ, and intake rule suggestions from all our contributors. Here, @Jane0sint provides on #MeduzaStealer - check out their process for what became SIDs 2050806 and 2050807!

User @kevross33 provides two #TinyTurlaNG #APT signatures - an outbound beacon (SID 2050902) and a client task ask (SID 2050903):

More than a few SIDs from industry contributers lately as well! The shared research within these blogs and media releases allows us to carefully analyze and identify the precious intel (in the form of HTTP content patterns) within so we can write performant sigs for etopen. Here, @bitdefender’s blog on #MacOS #RustDoor gave two alerts for outbound activity (2050799-2050800) life!

This @rapid7 blog inspired SID 2050811 which detects attempts to exploit a command injection vulnerability in some QNAP devices in the quick.cgi script using the “uploaf_firmware_image” function:

More #TinyTurlaNG #APT coverage with beacon traffic (2050902) and task request to controller (2050903) as well as multiple IOC-based signatures around involved domains (DNS SIDs 2050904-2050909) and associated TLS SNI connections (2050910-2050915) from @talossecurity’s release here:

And a last shout-out to our amazing @threatinsight team releasing their #bumblee blog - check out the referenced ET signature coverage!

That’s all for us - have a great weekend all!