Weekly Community Review - February 10, 2023

We’re at the end of the week again! It’s time to give a small sampling of the over 50 ET Open additions to the signature set these past five days with thanks to our suricata and infosec communities…

We’ve got some CVE coverage this week - and a note on that: ET rules are written against what we see in the landscape, what is likely to be and is actively exploited, and what we have proper guidance for so we can craft a performant rule for our customers.

for recent ImageMagick CVEs - CVE-2022-44267 and CVE-2022-44268 we’ve got 3 SIDs - 2044118-2044120 - these cover inbound attempts for PNG uploads attempting to cause ImageMagick to parse the malicious image content and trigger DoS conditions.

from a Japan Security Analyst Conference 2023 presentation by @TeamT5_Official, SID 2044122 was created using observations of an inbound UA string for an “NginxSpy” Request.

a @rapid7 writeup which rendered SIDs 2044143-2044144 for CVE-2023-0669, alerting on Fortra pre-authentication deserialization attempts for GET and POST activity

Kevin Ross on our mailing list, passing SIDs 2044127-2044129 on Gamaredon PowerShell GET/POST created from the data within the @dsszziTLP:CLEAR report here.

For SID 2044152, a sig from @jaydinbas tipping up a TA4444 domain within a DNS request.

and to @StopMalvertisin, thanks for two SIDs! 2044166 (Gamaredon GET activity) and 2044168 (DonotGroup related UA string).

And lastly, our own@threatinsight blog. Featuring TA866 utilizing sceenshots to analyze victim activity before further infection—with multiple related ET Open and ETPRO signature references in its addendum!