Greetings all! We had a great week last week here at Emerging Threats on the collaboration score - just shy of 100 (99!) rules were added to the #free #IDS etopen rules. They were born from the kind shares of independent researchers and industry partners putting their hard work, sandbox runs, and hashes out there for all to see and from which we all can improve our detections. Here’s some tags, mentions, tweets, blogs, and community posts and the SIDs they inspired!
From @Cyber0verload, this kind tag & hash led to SID 2047927 - the outbound grab of a remote #APT #Gamaredon #PrimitiveBear template!
And a little help from some old friends of ET last week - first @tgreen sending on the @VulnCheckAI blog which led to SID 2047954 for some CVE-2023-33246 #Apache #RocketMQ code injection:
As well as @twinwavesec with etopen signature contributions (2047978-2047983) for both redirects and URL structures for phishing pages!
So these are all etopen signatures - and as such are free! What’s the difference between them and our paid subscription etpro signatures?
A reminder: any sigs created from our own internal research (including malware detonation, global sensor network, integration with other products) go into ETPRO. But any signatures contributed by the community, or signatures that are written by ET/Proofpoint based on community research, go into ET Open. (like these discussed today!)
Here on our #Discourse #Community page, friend @Jane0sint references a @Viriback tweet to contribute a rule to ETOpen - check it out! Echida Botnet
And while you’re here - look at this thread where ET’s own @bmurphy talks about two INFO rules (2047976 & 2047977) released last week to address the recent java deserialization vulnerability in JSCAPE MFT: CVE-2023-4528
Looking at the contributions of industry partners via blogs and shares - from @uptycs shared research SIDs 2047905 - alerting on the outbound payload request of #Stealerium via PowerShell!
From @SecurityJoes writeup last week - a SID each on #MinIO information disclosure attempt (2047923) and success (2047924) around CVE-2023-28432:
For #CVE coverage - we are careful to use metadata tags so you can bubble these alerts up within relevant environments - these CVE indicators can be found in both the reference field (type ‘cve’) and the “cve” metadata tag itself - (cve CVE_2023_28432).
From @bizone_en, SIDs 2047955-2047967, which encompass multiple alerts on stages of #RedWolf #APT across POST and GET requests using the windows powershell user-agent & unique header configs, DNS lookups, and TLS SNI headers for suspected domains all with the goal downloading an additional payload.
That’s it for us this week - thanks all and be well!