Greetings all! We had a great week last week here at Emerging Threats on the collaboration score - just shy of 100 (99!) rules were added to the #free #IDS etopen rules. They were born from the kind shares of independent researchers and industry partners putting their hard work, sandbox runs, and hashes out there for all to see and from which we all can improve our detections. Here’s some tags, mentions, tweets, blogs, and community posts and the SIDs they inspired!
From @Cyber0verload, this kind tag & hash led to SID 2047927 - the outbound grab of a remote #APT #Gamaredon #PrimitiveBear template!
A reminder: any sigs created from our own internal research (including malware detonation, global sensor network, integration with other products) go into ETPRO. But any signatures contributed by the community, or signatures that are written by ET/Proofpoint based on community research, go into ET Open. (like these discussed today!)
And while you’re here - look at this thread where ET’s own @bmurphy talks about two INFO rules (2047976 & 2047977) released last week to address the recent java deserialization vulnerability in JSCAPE MFT: CVE-2023-4528
Looking at the contributions of industry partners via blogs and shares - from @uptycs shared research SIDs 2047905 - alerting on the outbound payload request of #Stealerium via PowerShell!
From @SecurityJoes writeup last week - a SID each on #MinIO information disclosure attempt (2047923) and success (2047924) around CVE-2023-28432:
For #CVE coverage - we are careful to use metadata tags so you can bubble these alerts up within relevant environments - these CVE indicators can be found in both the reference field (type ‘cve’) and the “cve” metadata tag itself - (cve CVE_2023_28432).
From @bizone_en, SIDs 2047955-2047967, which encompass multiple alerts on stages of #RedWolf #APT across POST and GET requests using the windows powershell user-agent & unique header configs, DNS lookups, and TLS SNI headers for suspected domains all with the goal downloading an additional payload.
That’s it for us this week - thanks all and be well!