Ruleset Update Summary - 2024/09/24 - v10702

Summary:

77 new OPEN, 78 new PRO (77 + 1)

Thanks @Unit42_Intel, @BushidoUK

Added rules:

Open:

• 2056090 - ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication File Creation (CVE-2023-35885) (web_specific_apps.rules)
• 2056091 - ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication Content Upload (CVE-2023-35885) (web_specific_apps.rules)
• 2056092 - ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication File Permission Modification (CVE-2023-35885) (web_specific_apps.rules)
• 2056093 - ET WEB_SPECIFIC_APPS Vulnerable aiohttp Server Version Response (CVE-2024-23334) (web_specific_apps.rules)
• 2056094 - ET WEB_SPECIFIC_APPS Atlassian Confluence Data Center and Server Authenticated RCE (CVE-2024-21683) (web_specific_apps.rules)
• 2056095 - ET INFO DYNAMIC_DNS Query to a * .hse .tw Domain (info.rules)
• 2056096 - ET INFO DYNAMIC_DNS HTTP Request to a * .hse .tw Domain (info.rules)
• 2056097 - ET INFO DYNAMIC_DNS Query to a * .volphied .com Domain (info.rules)
• 2056098 - ET INFO DYNAMIC_DNS HTTP Request to a * .volphied .com Domain (info.rules)
• 2056099 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (admissionfaccen .shop) (malware.rules)
• 2056100 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (admissionfaccen .shop in TLS SNI) (malware.rules)
• 2056101 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mizzerablekmo .shop) (malware.rules)
• 2056102 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mizzerablekmo .shop in TLS SNI) (malware.rules)
• 2056103 - ET MALWARE BadSpace/WarmCookie CnC Activity (GET) M2 (malware.rules)
• 2056104 - ET EXPLOIT_KIT Fake Update Domain in DNS Lookup (mediamic .info) (exploit_kit.rules)
• 2056105 - ET EXPLOIT_KIT Fake Update Domain in TLS SNI (mediamic .info) (exploit_kit.rules)
• 2056106 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (flyjeta .com) (exploit_kit.rules)
• 2056107 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (flyjeta .com) (exploit_kit.rules)
• 2056108 - ET MALWARE SnipBot CnC Domain in DNS Lookup (webtimeapi .com) (malware.rules)
• 2056109 - ET MALWARE SnipBot CnC Domain in DNS Lookup (cloudcreative .digital) (malware.rules)
• 2056110 - ET MALWARE SnipBot CnC Domain in DNS Lookup (fileshare .direct) (malware.rules)
• 2056111 - ET MALWARE SnipBot CnC Domain in DNS Lookup (mcprotect .cloud) (malware.rules)
• 2056112 - ET MALWARE SnipBot CnC Domain in DNS Lookup (sitepanel .top) (malware.rules)
• 2056113 - ET MALWARE SnipBot CnC Domain in DNS Lookup (docstorage .link) (malware.rules)
• 2056114 - ET MALWARE SnipBot CnC Domain in DNS Lookup (drv2ms .com) (malware.rules)
• 2056115 - ET MALWARE SnipBot CnC Domain in DNS Lookup (ilogicflow .com) (malware.rules)
• 2056116 - ET MALWARE SnipBot CnC Domain in DNS Lookup (certifysop .com) (malware.rules)
• 2056117 - ET MALWARE SnipBot CnC Domain in DNS Lookup (dns-msn .com) (malware.rules)
• 2056118 - ET MALWARE SnipBot CnC Domain in DNS Lookup (linedrv .com) (malware.rules)
• 2056119 - ET MALWARE SnipBot CnC Domain in DNS Lookup (publicshare .link) (malware.rules)
• 2056120 - ET MALWARE SnipBot CnC Domain in DNS Lookup (fastshare .click) (malware.rules)
• 2056121 - ET MALWARE SnipBot CnC Domain in DNS Lookup (drvmcprotect .com) (malware.rules)
• 2056122 - ET MALWARE SnipBot CnC Domain in DNS Lookup (olminx .com) (malware.rules)
• 2056123 - ET MALWARE SnipBot CnC Domain in DNS Lookup (xeontime .com) (malware.rules)
• 2056124 - ET MALWARE SnipBot CnC Domain in DNS Lookup (cethernet .com) (malware.rules)
• 2056125 - ET MALWARE Observed SnipBot CnC Domain (webtimeapi .com in TLS SNI) (malware.rules)
• 2056126 - ET MALWARE Observed SnipBot CnC Domain (cloudcreative .digital in TLS SNI) (malware.rules)
• 2056127 - ET MALWARE Observed SnipBot CnC Domain (fileshare .direct in TLS SNI) (malware.rules)
• 2056128 - ET MALWARE Observed SnipBot CnC Domain (mcprotect .cloud in TLS SNI) (malware.rules)
• 2056129 - ET MALWARE Observed SnipBot CnC Domain (sitepanel .top in TLS SNI) (malware.rules)
• 2056130 - ET MALWARE Observed SnipBot CnC Domain (docstorage .link in TLS SNI) (malware.rules)
• 2056131 - ET MALWARE Observed SnipBot CnC Domain (drv2ms .com in TLS SNI) (malware.rules)
• 2056132 - ET MALWARE Observed SnipBot CnC Domain (ilogicflow .com in TLS SNI) (malware.rules)
• 2056133 - ET MALWARE Observed SnipBot CnC Domain (certifysop .com in TLS SNI) (malware.rules)
• 2056134 - ET MALWARE Observed SnipBot CnC Domain (dns-msn .com in TLS SNI) (malware.rules)
• 2056135 - ET MALWARE Observed SnipBot CnC Domain (linedrv .com in TLS SNI) (malware.rules)
• 2056136 - ET MALWARE Observed SnipBot CnC Domain (publicshare .link in TLS SNI) (malware.rules)
• 2056137 - ET MALWARE Observed SnipBot CnC Domain (fastshare .click in TLS SNI) (malware.rules)
• 2056138 - ET MALWARE Observed SnipBot CnC Domain (drvmcprotect .com in TLS SNI) (malware.rules)
• 2056139 - ET MALWARE Observed SnipBot CnC Domain (olminx .com in TLS SNI) (malware.rules)
• 2056140 - ET MALWARE Observed SnipBot CnC Domain (xeontime .com in TLS SNI) (malware.rules)
• 2056141 - ET MALWARE Observed SnipBot CnC Domain (cethernet .com in TLS SNI) (malware.rules)
• 2056142 - ET WEB_SPECIFIC_APPS Progress Kemp Loadmaster Unauthenticated Command Injection (CVE-2024-1212) (web_specific_apps.rules)
• 2056143 - ET PHISHING Parking Penalty Phish Kit Admin Landing Page M1 2024-09-23 (phishing.rules)
• 2056144 - ET HUNTING Redirect to stockx.com (hunting.rules)
• 2056145 - ET PHISHING Parking Penalty Phish Kit Admin Landing Page M2 2024-09-23 (phishing.rules)
• 2056146 - ET PHISHING Parking Penalty Phish Kit Admin Landing Page M3 2024-09-23 (phishing.rules)
• 2056147 - ET WEB_SPECIFIC_APPS Cisco Smart Licensing Utility API Hardcoded Admin Credentials (CVE-2024-20439) (web_specific_apps.rules)
• 2056148 - ET EXPLOIT Cisco Smart Software Manager On-Prem (SSM On-Prem) Unauthenticated Password Change Attempt (CVE-2024-20419) (exploit.rules)
• 2056149 - ET EXPLOIT Cisco Smart Software Manager On-Prem (SSM On-Prem) Successful Unauthenticated Password Change (CVE-2024-20419) (exploit.rules)
• 2056150 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) (malware.rules)
• 2056151 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) (malware.rules)
• 2056152 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) (malware.rules)
• 2056153 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) (malware.rules)
• 2056154 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) (malware.rules)
• 2056155 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) (malware.rules)
• 2056156 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) (malware.rules)
• 2056157 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) (malware.rules)
• 2056158 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) (malware.rules)
• 2056159 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) (malware.rules)
• 2056160 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) (malware.rules)
• 2056161 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) (malware.rules)
• 2056162 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) (malware.rules)
• 2056163 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) (malware.rules)
• 2056164 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) (malware.rules)
• 2056165 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) (malware.rules)
• 2056166 - ET EXPLOIT aiohttp Directory Traversal in Static Routing (CVE-2024-23334) (exploit.rules)

Pro:

• 2858443 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)