Ruleset Update Summary - 2023/06/15 - v10349

Ruleset Updates
1

Summary:

18 new OPEN, 19 new PRO (18 + 1)

Thanks @Mandiant

Added rules:

Open:

  • 2046273 - ET MALWARE [Mandiant] UNC4841 SEASPY Backdoor Activity M1 (malware.rules)
  • 2046274 - ET MALWARE [Mandiant] UNC4841 SEASPY Backdoor Activity M2 (malware.rules)
  • 2046275 - ET MALWARE [Mandiant] UNC4841 SEASPY Backdoor Activity M3 (malware.rules)
  • 2046276 - ET MALWARE [Mandiant] UNC4841 SEASPY Backdoor Activity M4 (malware.rules)
  • 2046277 - ET MALWARE [Mandiant] UNC4841 SEASPY Backdoor Activity M5 (malware.rules)
  • 2046278 - ET MALWARE [Mandiant] UNC4841 SEASPY Backdoor Activity M6 (malware.rules)
  • 2046279 - ET MALWARE [Mandiant] UNC4841 SEASPY Backdoor Activity M7 (malware.rules)
  • 2046280 - ET EXPLOIT Possible Barracuda Email Security Gateway Remote Code Execution Attempt (CVE-2023-2868) (exploit.rules)
  • 2046281 - ET MALWARE UNC4841 Related Domain in DNS Lookup (togetheroffway .com) (malware.rules)
  • 2046282 - ET MALWARE UNC4841 Related Domain in DNS Lookup (goldenunder .com) (malware.rules)
  • 2046283 - ET MALWARE UNC4841 Related Domain in DNS Lookup (fessionalwork .com) (malware.rules)
  • 2046284 - ET MALWARE UNC4841 Related Domain in DNS Lookup (singamofing .com) (malware.rules)
  • 2046285 - ET MALWARE UNC4841 Related Domain in DNS Lookup (bestfindthetruth .com) (malware.rules)
  • 2046286 - ET MALWARE UNC4841 Related Domain in DNS Lookup (troublendsef .com) (malware.rules)
  • 2046287 - ET MALWARE UNC4841 Related Domain in DNS Lookup (singnode .com) (malware.rules)
  • 2046288 - ET MALWARE UNC4841 Related Domain in DNS Lookup (gesturefavour .com) (malware.rules)
  • 2046289 - ET MALWARE SocGholish Domain in DNS Lookup (subscription .provijuns .com) (malware.rules)
  • 2046290 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (linedgreen .org) (exploit_kit.rules)

Pro:

  • 2854628 - ETPRO PHISHING Successful ScotiaBank Credential Phish 2023-06-15 (phishing.rules)
2

Hey folks, I thought I’d add a little bit more context for tonight’s rule release:

Rules
2046275 - 2046279 (SEASPY) are only available for Suricata 5+. This is due to detection engine limitations – neither Suricata 4.x nor Snort 2.9 have the tcp.hdr option to perform content matching in the TCP header portion of network traffic.

Please refer to: Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Mandiant

It appears that a number of the SEASPY detection rules rely on analyzing specific TCP OPTIONS.

Take a look at the documentation for tcp.hdr for more information: 5.3. IP Keywords — Suricata unknown documentation

1 Like
3

I think you might have accidentally left a couple rules that need tcp.hdr in the rules and it’s causing Snort 2.9 to crash.

4

This problem was due to two rules using the syntax flow:stateless,to_server for the snort version of two of the SEASPY rules. Snort does not like having flow:stateless combined with other flow options and throws an error. The error isn’t formatted like any of the other errors Snort typically throws regarding rule syntax errors, and our QA systems missed it. Our QA system has been updated to account for this error, and we’ve released an emergency out of band update that is available now to fix this problem.

We apologize for any inconvenience this has caused you or any other netgate customers, and have made necessary precautions to prevent it from happening in the future. If there is anything else I can do for you, please let me know.

-Tony

1 Like
5

Thanks for the update. I shared the info you provided over on the Netgate forum so people on that thread are aware as well.