Summary:
9 new OPEN, 14 new PRO (9 + 5) Lumma Stealer, FortiOS Auth Bypass, Hawkeye Keylogger
Thanks @MalGamy12 @DLL_Cool_J
Please share issues, feedback, and requests at Feedback
Added rules:
Open:
2039419 - ET WEB_SERVER Successful FortiOS Auth Bypass Attempt - SSH Key Upload (CVE-2022-40684) (web_server.rules)
2039420 - ET WEB_SERVER Successful FortiOS Auth Bypass Attempt - Admin Details Leaked (CVE-2022-40684) (web_server.rules)
2039421 - ET MALWARE Observed DNS Query to Cryptojacking Domain (a-dog .top) (malware.rules)
2039422 - ET USER_AGENTS Supicious User-Agent (RT/1.0) (user_agents.rules)
2039423 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt (malware.rules)
2039424 - ET MALWARE Win32/Lumma Stealer CnC Domain (evetesttech .net) in DNS Lookup (malware.rules)
2039425 - ET MALWARE Win32/Lumma Stealer CnC Domain (765mm .xyz) in DNS Lookup (malware.rules)
2039426 - ET MALWARE Win32/Lumma Stealer CnC Domain (safe-car .ru) in DNS Lookup (malware.rules)
2039427 - ET MALWARE SocGholish Domain in DNS Lookup (festival .robingaster .com) (malware.rules)
Pro:
2852595 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-10-14 1) (coinminer.rules)
2852596 - ETPRO PHISHING Successful Wells Fargo Phish 2022-10-17 (phishing.rules)
2852597 - ETPRO MALWARE MSIL/Hawkeye Keylogger Activity (malware.rules)
Modified active rules:
2039173 - ET WEB_SERVER [Cluster25] FortiOS Auth Bypass Attempt (CVE-2022-40684) (web_server.rules)