Weekly Community Review - June 2, 2023

Greetings all - it was a short week here for us at @et_labs but we’re long on rules going into #ETOpen with 194 (!) rules heading into the free community ruleset thanks to researchers and industry contributions as well as many new DNS over HTTPS (a common obfuscation technique) and Dynamic DNS (a technique against hard IP blocks) domain rules. Lets chat on some…

From @0xToxin context on a @James_inthe_box tweet, SID 2045885 firing on an incoming #agentesla #ManaTools malware infracture control panel thanks to:

Thanks to @sucurisecurity for writing and @StamusN for sharing this blog which allowed 2045884 to fire on an identified TLS SNI cert presentation for an identified Balada TDS domain: Vulnerability in Essential Addons for Elementor Leads to Mass Infection

Much research done today around CVE-2023-34362 (MOVEit zero-day), and we’ve got signature coverage for it out today thanks to @_JohnHammond, @HuntressLabs, and this great @mandiant writeup. I want to take the opportunity here to talk about the metadata tags we chose to deploy with these… Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft | Mandiant

So we know how difficult it can be to catch these alerts and collate them in a way that lets you triage the impact of their firing and allows you to separate what you can/should focus on against everything that you’re possibly collecting. We feature metadata tags through our rulesets to help, and we talk about those here: Signature Metadata

In the case of these #MOVEit #zeroday #CVE_2023_24262 signatures, they’re currently marked info severity, low confidence and minor priority. Why is that? Because right now, they’re based on currently publicly available information. The official Progress posts lists POSTs to URL’s within the detection logic as an IOC for exploitation. At this point that’s what we have to go on–there’s been little information shared regarding the actual exploit chain. It would be hard then to mark this as ‘covered’ and walk away–or elevate the severity and confidence based on wishing rather than fact.

Until we gain more information through research and disclosure the confidence and severity of these signatures will be set to low/minor until further details are available. Once we can do so, these signatures will be updated with new logic and their severity/confidence adjusted. We’re also using #LEMURLOOT in the naming from the Mandiant report.

Thanks for @CyberOverload and their kind tag feeding more SIDs with #Gamaredon #APT goodness:

Twitter tags are a great way to get in our ears - thanks to @jay_townsend1 for his tag and ET OPEN rule submission - we added his HTTP rules with some few tweaks so that the align with our rule format (public visibility of our preferred ‘standards’ coming soon!) and performance requirements. You can tag us too!

Another great vector into @et_labs? Our discourse site! We’re getting such great opportunities for collaboration and feedback there. Friend @Jane0sint with submissions that turned into SIDs 2045974 and 2046045-2046046. Check out their great work here: LgoogLoader, PikaBot, RedLine rules - #2 by samjenk (with sandbox links and their twitter thread as well!)

And more #LEMURLOOT #MOVEit #zeroday #CVE_2023_24262 coverage, SID 2046047 came from @kevross33 on our #Discourse site: SIG: MoveIt File Transfer WebShell Interaction - #2 by bmurphy

That’s it for this week! Thanks all and be well - take good care of yourselves.