It’s been a busy #infosec week here at @et_labs, with exploits, public disclosures, and community contributions across twitter and #Discourse leading to 112 signatures being added to etopen suricata and #Snort rulesets. We can chat on a few…
More rules CVE-2023-34362 #MOVEit Transfer application came from writeups, PoC code, and shared research by @Horizon3ai and @rapid7, with SIDs 2046188-2046198 modeling observed and documented steps through the exploitation chain. Detection logic for SQL Injection alerting on the setting of session variables, guest account creation, and CSRF token manipulation for API access. (See the SID description file for detailed per-signature breakdowns). Keep in mind - these signatures are based on PoC code and not live captured exploitation traffic.
@kevross33 here on the Discourse provided content as well, and our @bmurphy gave further coverage context and a breakdown of triaging as well: SIG: MoveIt File Transfer WebShell Interaction
As he says - be mindful of the classtype and severity of received alerts. Major Severity and Classtype “attempted-admin” (SQLi Payload Creation, Guest account creation via SQLi) are higher candidates for triage than Informational serverity “web-application-activity” classtype (API token request, Folder request). While these informational signatures may fire in isolation of other CVE-2023-34362 signatures as part of normal operations, seeing this activity clustered with the higher severity signatures can be indicative of compromise. Be mindful in your triaging and investigations!
Continued great #Gamaredon #APT coverage from @Cyber0verload, SIDs 2046213-2046224 on observed domains came from their kind tag!
twitter.com/Cyber0verload/status/1667482368234381319
This @welivesecurity blog (referencing the great @threatinsight @Atraggi #AsylumAmbuscade cybercrime group research release) gave us SID 2046247 to alert on outbound install activity.
From @SentinelOne, SIDs 2046257-2046260 modeling various methods of #Kimsuky relelated activities around payload retrieval.
www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/
Remember, our #Discourse can be a vector for FP reporting as well. Here, user @ksci reports in on a rule that met the wild network landscape and needed some tuning. Our own @trobinson667 responds and the modified rule went out today!
Concerning CVE-2023-27997 (Fortigate SSL VPN) exploit coverage, this @LexfoSecurite writeup provided SIDs 2046251-2046256 which alert on repeated POST and GET requests to the hostcheck_validate and logincheck endpoints - a heap overflow bug provides RCE! These sigs use Threshold to keep FPs down and fire on potential abuse of the endpoints.
https://blog.lexfo.fr/xortigate-cve-2023-27997.html
Thanks go to @RexorVc0 for their tweet and @virustotal run enabling SID 2046263 to alerts on a APT-C-36 associated domain lookup from hosts within your networks!
https://twitter.com/RexorVc0/status/1669016390962118657
From @Jane0sint 's Discourse post, SIDs 2042982-2042985,2042987, and 2042989-2042991. Drop by the thread and see the process around laying out their research from which the community benefits!
Again here on #Discourse, user @dspruell @InQuest @Threatlabz contributes two Mystic Stealer C2 signatures - SIDs 2046293-2046295 are from their great work - check it out!
Lastly, a large and responsible disclosure from #Barracuda, backed by @rapid7 and @Mandiant reports, has dominated the cybersecurity space this past week. After being alerted to some traffic oddities from their Email Security Gateway appliances investigation found compromised of versions of their Email Security Gateway appliances. A flaw (CVE-2023-2868) exists due to the fact that the Barracuda device does not sanitize the processing of supplied .tar files, particularly around the archive file contents and file names. As such, an attacker can craft file names that will result in the platform executing them with full system privileges. Mandiant’s report identified an actor they track as UNC4841 and kindly provided observed domains post-compromise (SIDs 2046281-2046288) as well as backdoor methods which we were able to model (SIDs 2046273-2046280) all thanks to their comprehensive reporting:
Thanks all - enjoy your weekend. We’ll see you next week.