Ruleset Update Summary - 2024/02/20 - v10537

dumiller · February 21, 2024, 9:39pm

Summary:

39 new OPEN, 42 new PRO (39 + 3) Connectwise Screenconnect ,Ghostlocker, Lumma Stealer, and more

Thanks: @Jane_0sint, @ConnectWiseCRU

Added rules:

Open:

2050988 - ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Attempted SetupWizard Auth Bypass CWE-288 (CVE-2024-1709)
2050989 - ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Successful SetupWizard Auth Bypass CWE-288 (CVE-2024-1709)
2050990 - ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - SetupWizard Auth Bypass Vulnerable Version Detected (CVE-2024-1709 CVE-2024-1708)
2050991 - ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Attempted User Creation via SetupWizard with Auth Bypass CWE-288 (CVE-2024-1709)
2050992 - ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Successful User Creation via SetupWizard with Auth Bypass CWE-288 (CVE-2024-1709)
2050993 - ET MALWARE Win/Ghostlocker Ransomware Activity M1 (POST)
2050994 - ET MALWARE Win/Ghostlocker Ransomware Activity M2 (POST)
2050995 - ET INFO Observed DNS Over HTTPS Domain (dns .dekedin .me in TLS SNI)
2050996 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (detectordiscusser .shop)
2050997 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (woodfeetumhblefepoj .shop)
2050998 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (technologyenterdo .shop)
2050999 - ET MALWARE Observed Lumma Stealer Related Domain (detectordiscusser .shop in TLS SNI)
2051000 - ET MALWARE Observed Lumma Stealer Related Domain (woodfeetumhblefepoj .shop in TLS SNI)
2051001 - ET MALWARE Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI)
2051002 - ET INFO Pastebin-style Service Domain in DNS Lookup (textbin .net)
2051003 - ET INFO Suspected Proxy Server List Retrieval (GET) 
2051004 - ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request
2051005 - ET MALWARE Lazarus Group Backdoor CnC Checkin M1
2051006 - ET MALWARE Lazarus Group Backdoor CnC Checkin M2
2051007 - ET MALWARE Lazarus Group Domain in DNS Lookup (sifucanva .com)
2051008 - ET MALWARE Lazarus Group Domain in DNS Lookup (contact .rgssm .in)
2051009 - ET MALWARE Lazarus Group Domain in DNS Lookup (chrysalisc .com)
2051010 - ET MALWARE Lazarus Group Domain in DNS Lookup (rginfotechnology .com)
2051011 - ET MALWARE Lazarus Group Domain in DNS Lookup (thefrostery .co .uk)
2051012 - ET MALWARE Lazarus Group Domain in DNS Lookup (job4writers .com)
2051013 - ET MALWARE Observed Lazarus Group Domain (rginfotechnology .com) in TLS SNI
2051014 - ET MALWARE Observed Lazarus Group Domain (sifucanva .com) in TLS SNI
2051015 - ET MALWARE Observed Lazarus Group Domain (thefrostery .co .uk) in TLS SNI
2051016 - ET MALWARE Observed Lazarus Group Domain (contact .rgssm .in) in TLS SNI
2051017 - ET MALWARE Observed Lazarus Group Domain (chrysalisc .com) in TLS SNI
2051018 - ET MALWARE Observed Lazarus Group Domain (job4writers .com) in TLS SNI
2051019 - ET MALWARE Lazarus Group Domain in DNS Lookup (updating .dothome .co .kr)
2051020 - ET EXPLOIT CVE-2024-25600 Bricks Exploitation Attempt
2051021 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (googlecloudstream .com)
2051022 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (googlecloudstream .com)
2051023 - ET MALWARE SocGholish Domain in DNS Lookup (stake .libertariancounterpoint .com)
2051024 - ET MALWARE SocGholish Domain in TLS SNI (stake .libertariancounterpoint .com)
2051025 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ads-quantum .com)
2051026 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ads-quantum .com)

Pro:

2856378 - ETPRO MALWARE Win32/Screenshotter Variant CnC Activity (GET)
2856379 - ETPRO INFO URL Shortener Service Domain in DNS Lookup (1kb .link)
2856380 - ETPRO INFO Observed URL Shortener Service Domain (1kb .link in TLS SNI)

Disabled and modified rules:

2018321 - ET MALWARE Saker UA
2050272 - ET INFO Observed DNS Over HTTPS Domain (id .local .v .ua in TLS SNI)
2807817 - ETPRO MALWARE Trojan-Downloader.Win32.Agent.ybmu Checkin
2807900 - ETPRO MALWARE TrojanProxy.Wintu.B Checkin
2050274 - ET INFO Observed DNS Over HTTPS Domain (netcup .mismat .ch in TLS SNI)
2024555 - ET PHISHING Possible Successful Generic Phish (set) Feb 26 2016
2807859 - ETPRO MALWARE Variant.Symmi Checkin 3
2050269 - ET INFO Observed DNS Over HTTPS Domain (home .wriedts .de in TLS SNI)
2043239 - ET MALWARE WasabiSeed Backdoor Payload Request (GET)
2050264 - ET INFO Observed DNS Over HTTPS Domain (dns .sac .rebl .eu .org in TLS SNI)
2050267 - ET INFO Observed DNS Over HTTPS Domain (ns .mtsoln .com in TLS SNI)
2050270 - ET INFO Observed DNS Over HTTPS Domain (dns1 .lothuscorp .com .br in TLS SNI)
2050276 - ET INFO Observed DNS Over HTTPS Domain (locaweb .moleniuk .com in TLS SNI)
2807869 - ETPRO MALWARE Win32/Necurs Checkin 2
2050263 - ET INFO Observed DNS Over HTTPS Domain (query .mobyds .com in TLS SNI)
2050268 - ET INFO Observed DNS Over HTTPS Domain (adblock .leenit .kr in TLS SNI)
2837753 - ETPRO MALWARE KPOT Stealer Exfiltration M3

Topic	Replies	Views
Ruleset Update Summary - 2024/03/06 - v10546 Ruleset Updates	242	March 6, 2024
Ruleset Update Summary - 2023/09/15 - v10418 Ruleset Updates	280	September 15, 2023
Daily Ruleset Update Summary 2022/10/17 Ruleset Updates	71	October 17, 2022
Ruleset Update Summary - 2024/01/02 - v10497 Ruleset Updates	315	January 2, 2024
Ruleset Update Summary - 2024/02/16 - v10534 Ruleset Updates	208	February 16, 2024

Ruleset Update Summary - 2024/02/20 - v10537

Summary:

39 new OPEN, 42 new PRO (39 + 3) Connectwise Screenconnect ,Ghostlocker, Lumma Stealer, and more

Added rules:

Open:

Pro:

Disabled and modified rules:

Related Topics