Daily Ruleset Update Summary 2017/03/14

[***]            Summary:            [***]

6 new Open signatures, 94 new Pro (6 + 88). MAPP, Terror EK, Various Phishing.

CVE to ET Sid mapping for MAPP:

CVE-2017-0007->2825374
CVE-2017-0008->2825375
CVE-2017-0010->2825376
CVE-2017-0011->2825377
CVE-2017-0022->2825378
CVE-2017-0023->2825379
CVE-2017-0023->2825380
CVE-2017-0024->2825381
CVE-2017-0026->2825382
CVE-2017-0030->2825383
CVE-2017-0031->2825384
CVE-2017-0037->2825385
CVE-2017-0038->2825387
CVE-2017-0039->2825388
CVE-2017-0042->2825389
CVE-2017-0046->2825390
CVE-2017-0049->2825391
CVE-2017-2984->2825392
CVE-2017-2984->2825393
CVE-2017-2984->2825394
CVE-2017-2986->2825395
CVE-2017-2990->2825396
CVE-2017-2990->2825397
CVE-2017-2992->2825398
CVE-2017-2991->2825399
CVE-2017-0009->2825400
CVE-2017-0015->2825401
CVE-2017-0017->2825402
CVE-2017-0018->2825403
CVE-2017-0034->2825404
CVE-2017-0055->2825405
CVE-2017-0059->2825406
CVE-2017-0060->2825407
CVE-2017-0062->2825408
CVE-2017-0066->2825410
CVE-2017-0067->2825409
CVE-2017-0069->2825411
CVE-2017-0070->2825412
CVE-2017-0071->2825413
CVE-2017-0072->2825414
CVE-2017-0073->2825415
CVE-2017-0078->2825416
CVE-2017-0079->2825417
CVE-2017-0080->2825418
CVE-2017-0081->2825419
CVE-2017-0082->2825420
CVE-2017-0083->2825421
CVE-2017-0086->2825422
CVE-2017-0087->2825423
CVE-2017-0088->2825424
CVE-2017-0089->2825425
CVE-2017-0090->2825426
CVE-2017-0094->2825427
CVE-2017-0100->2825428
CVE-2017-0108->2825430
CVE-2017-0121->2825431
CVE-2017-0130->2825432
CVE-2017-0131->2825433
CVE-2017-0133->2825434
CVE-2017-0140->2825435
CVE-2017-0141->2825436
CVE-2017-0154->2825437
CVE-2017-2998->2825438
CVE-2017-2997->2825439
CVE-2017-2999->2825440
CVE-2017-3002->2825441

[+++]          Added rules:          [+++]

2024050 - ET CURRENT_EVENTS Successful ANZ Internet Banking Phish Mar 14 2017 (current_events.rules)
2024051 - ET CURRENT_EVENTS Successful Instagram Phish Mar 14 2017 (current_events.rules)
2024052 - ET CURRENT_EVENTS Successful Paypal Phish Mar 14 2017 (current_events.rules)
2024053 - ET CURRENT_EVENTS Terror EK Payload Download M1 Mar 14 2017 (current_events.rules)
2024054 - ET CURRENT_EVENTS Terror EK Payload Download M2 Mar 14 2017 (current_events.rules)
2024055 - ET CURRENT_EVENTS Terror EK Payload RC4 Key M1 Mar 14 2017 (current_events.rules)
2825374 - ETPRO WEB_CLIENT Possible Microsoft Windows Script Signature Checking Bypass (CVE-2017-0007) (web_client.rules)
2825375 - ETPRO WEB_CLIENT Possible Internet Explorer Information Disclosure Vulnerability (CVE-2017-0008) (web_client.rules)
2825376 - ETPRO WEB_CLIENT Possible Scripting Engine Memory Corruption Vulnerability (CVE-2017-0010) (web_client.rules)
2825377 - ETPRO WEB_CLIENT Microsoft Edge OOB Read Information Disclosure (CVE-2017-0011) (web_client.rules)
2825378 - ETPRO WEB_CLIENT Possible Microsoft Internet Explorer Information Disclosure (CVE-2017-0022) (web_client.rules)
2825379 - ETPRO WEB_CLIENT Microsoft Edge PDF Parsing RCE M1 (CVE-2017-0023) (web_client.rules)
2825380 - ETPRO WEB_CLIENT Microsoft Edge PDF Parsing RCE M2 (CVE-2017-0023) (web_client.rules)
2825381 - ETPRO EXPLOIT Possible Windows DLL Loading RCE Vulnerability (CVE-2017-0024) (exploit.rules)
2825382 - ETPRO EXPLOIT Possible Win32k Elevation of Privilege Vulnerability (CVE-2017-0026) (exploit.rules)
2825383 - ETPRO EXPLOIT MS Word Buffer Overflow (CVE-2017-0030) (exploit.rules)
2825384 - ETPRO EXPLOIT MS Word UAF RCE (CVE-2017-0031) (exploit.rules)
2825385 - ETPRO WEB_CLIENT Internet Explorer Type Confusion (CVE-2017-0037) (web_client.rules)
2825386 - ETPRO TROJAN Observed Malicious SSL Cert (Zeus Variant) (trojan.rules)
2825387 - ETPRO EXPLOIT Possible Windows Graphics Component Info Disclosure (CVE-2017-0038) (exploit.rules)
2825388 - ETPRO EXPLOIT Possible Windows DLL Loading RCE Vulnerability (CVE-2017-0039) (exploit.rules)
2825389 - ETPRO EXPLOIT Possible Windows Media Player Info Disclosure Vulnerability (CVE-2017-0042) (exploit.rules)
2825390 - ETPRO WEB_CLIENT Microsoft Edge Type Confusion Vulnerability (CVE-2017-0046) (web_client.rules)
2825391 - ETPRO EXPLOIT Possible Scripting Engine Information Disclosure Vulnerability (CVE-2017-0049) (exploit.rules)
2825392 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory Access M1 (CVE-2017-2984) (web_client.rules)
2825393 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory Access M2 (CVE-2017-2984) (web_client.rules)
2825394 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory Access M3 (CVE-2017-2984) (web_client.rules)
2825395 - ETPRO WEB_CLIENT Possible Adobe Flash FLV parsing OOB Memory Access (CVE-2017-2986) (web_client.rules)
2825396 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory Access M1 (CVE-2017-2990) (web_client.rules)
2825397 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory Access M2 (CVE-2017-2990) (web_client.rules)
2825398 - ETPRO EXPLOIT Flash Player Heap Overflow (CVE-2017-2992) (exploit.rules)
2825399 - ETPRO EXPLOIT Flash Player Memory Corruption (CVE-2017-2991) (exploit.rules)
2825400 - ETPRO WEB_CLIENT Microsoft Browser Information Disclosure Vulnerability (CVE-2017-0009) (web_client.rules)
2825401 - ETPRO WEB_CLIENT Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-0015) (web_client.rules)
2825402 - ETPRO WEB_CLIENT Microsoft Edge Information Disclosure Vulnerability (CVE-2017-0017) (web_client.rules)
2825403 - ETPRO WEB_CLIENT Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2017-0018) (web_client.rules)
2825404 - ETPRO WEB_CLIENT Microsoft Edge Memory Corruption Vulnerability (CVE-2017-0034) (web_client.rules)
2825405 - ETPRO WEB_CLIENT Microsoft IIS Server XSS Elevation of Privilege Vulnerability (CVE-2017-0055) (web_client.rules)
2825406 - ETPRO WEB_CLIENT Internet Explorer Information Disclosure Vulnerability (CVE-2017-0059) (web_client.rules)
2825407 - ETPRO EXPLOIT Windows GDI Information Disclosure vulnerability (CVE-2017-0060) (exploit.rules)
2825408 - ETPRO EXPLOIT GDI+ Information Disclosure Vulnerability (CVE-2017-0062) (exploit.rules)
2825409 - ETPRO WEB_CLIENT Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-0067) (web_client.rules)
2825410 - ETPRO EXPLOIT Possible Edge SOP Bypass (CVE-2017-0066) (exploit.rules)
2825411 - ETPRO WEB_CLIENT Microsoft Edge Spoofing Vulnerability (CVE-2017-0069) (web_client.rules)
2825412 - ETPRO WEB_CLIENT Possible Edge JS UAF (CVE-2017-0070) (web_client.rules)
2825413 - ETPRO WEB_CLIENT Scripting Engine Memory Corruption Vulnerability (CVE-2017-0071) (web_client.rules)
2825414 - ETPRO EXPLOIT Uniscribe Remote Code Execution Vulnerability (CVE-2017-0072) (exploit.rules)
2825415 - ETPRO WEB_CLIENT Windows GDI+ Information Disclosure Vulnerability (CVE-2017-0073) (web_client.rules)
2825416 - ETPRO EXPLOIT Possible EXE Exploiting Win32k DDI EoP Inbound (CVE-2017-0078) (exploit.rules)
2825417 - ETPRO EXPLOIT Possible EXE Exploiting Win32k DDI EoP Inbound (CVE-2017-0079) (exploit.rules)
2825418 - ETPRO EXPLOIT Possible EXE Exploiting Win32k DDI Vulnerablity Inbound (CVE-2017-0080) (exploit.rules)
2825419 - ETPRO EXPLOIT Possible EXE Exploiting Win32k DDI Vulnerablity Inbound (CVE-2017-0081) (exploit.rules)
2825420 - ETPRO EXPLOIT Possible EXE Exploiting Win32k Vulnerablity Inbound (CVE-2017-0082) (exploit.rules)
2825421 - ETPRO EXPLOIT Windows Uniscribe Remote Code Execution Vulnerability (CVE-2017-0083) (exploit.rules)
2825422 - ETPRO EXPLOIT Windows Uniscribe Remote Code Execution Vulnerability (CVE-2017-0086) (exploit.rules)
2825423 - ETPRO EXPLOIT Windows Uniscribe Remote Code Execution Vulnerability (CVE-2017-0087) (exploit.rules)
2825424 - ETPRO EXPLOIT Windows Uniscribe Remote Code Execution Vulnerability (CVE-2017-0088) (exploit.rules)
2825425 - ETPRO EXPLOIT Windows Uniscribe Remote Code Execution Vulnerability (CVE-2017-0089) (exploit.rules)
2825426 - ETPRO EXPLOIT Windows Uniscribe Remote Code Execution Vulnerability (CVE-2017-0090) (exploit.rules)
2825427 - ETPRO WEB_CLIENT Internet Explorer Information Disclosure Vulnerability (CVE-2017-0094) (web_client.rules)
2825428 - ETPRO EXPLOIT Windows COM Elevation of Privilege Vulnerability (CVE-2017-0100) (exploit.rules)
2825429 - ETPRO CURRENT_EVENTS Successful Scotiabank Phish Mar 14 2017 (current_events.rules)
2825430 - ETPRO EXPLOIT Windows Graphics Component Remote Code Execution Vulnerability (CVE-2017-0108) (exploit.rules)
2825431 - ETPRO EXPLOIT Windows Uniscribe Information Disclosure Vulnerability (CVE-2017-0121) (exploit.rules)
2825432 - ETPRO EXPLOIT Possible Internet Explorer Type Confusion (CVE-2017-0130) (exploit.rules)
2825433 - ETPRO EXPLOIT Possible Edge OOB Read Vulnerability (CVE-2017-0131) (exploit.rules)
2825434 - ETPRO EXPLOIT Possible Edge Core Type Confusion (CVE-2017-0133) (exploit.rules)
2825435 - ETPRO EXPLOIT Possible Edge Fetch API Vulnerability (CVE-2017-0140) (exploit.rules)
2825436 - ETPRO EXPLOIT Possible Edge Heap Overflow Access Violation (CVE-2017-0141) (exploit.rules)
2825437 - ETPRO EXPLOIT Possible Internet Explorer 11 UXSS (CVE-2017-0154) (exploit.rules)
2825438 - ETPRO WEB_CLIENT Possible Flash Memory Corruption Vulnerability (CVE-2017-2998) (web_client.rules)
2825439 - ETPRO WEB_CLIENT Possible Flash Memory Corruption Vulnerability (CVE-2017-2997) (web_client.rules)
2825440 - ETPRO WEB_CLIENT Possible Flash Memory Corruption Vulnerability (CVE-2017-2999) (web_client.rules)
2825441 - ETPRO WEB_CLIENT Possible Flash Memory Corruption Vulnerability (CVE-2017-3002) (web_client.rules)
2825442 - ETPRO WEB_CLIENT Possible Flash Memory Corruption Vulnerability (CVE-2017-3003) (web_client.rules)
2825443 - ETPRO CURRENT_EVENTS Successful Paypal Phish Mar 14 2017 (current_events.rules)
2825444 - ETPRO MOBILE_MALWARE Android/TrojanDownloader.Agent.BF APK Download (mobile_malware.rules)
2825445 - ETPRO CURRENT_EVENTS INTERAC Payment Multibank Phishing Landing Mar 14 2017 (current_events.rules)
2825446 - ETPRO CURRENT_EVENTS Successful IRS Phish Mar 14 2017 (current_events.rules)
2825447 - ETPRO TROJAN DNS Query to Cerber Domain (14udep . top) (trojan.rules)
2825448 - ETPRO TROJAN DNS Query to Cerber Domain (1bzolk . top) (trojan.rules)
2825449 - ETPRO TROJAN DNS Query to Cerber Domain (1axzcw . top) (trojan.rules)
2825450 - ETPRO TROJAN DNS Query to Cerber Domain (1jhnvt . top) (trojan.rules)
2825451 - ETPRO TROJAN DNS Query to Cerber Domain (1dsdm4 . top) (trojan.rules)
2825452 - ETPRO TROJAN DNS Query to Cerber Domain (13xwn9 . top) (trojan.rules)
2825453 - ETPRO TROJAN NexusLogger SSL Certificate (trojan.rules)
2825454 - ETPRO CURRENT_EVENTS Successful Yahoo Phish Mar 14 2017 (current_events.rules)
2825455 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.EzSpy.a CnC Beacon (mobile_malware.rules)
2825456 - ETPRO CURRENT_EVENTS Successful Email Settings Error Phish Mar 14 2017 (current_events.rules)
2825457 - ETPRO CURRENT_EVENTS Successful Chase Phish Mar 14 2017 (current_events.rules)
2825458 - ETPRO TROJAN Banload Variant Checkin (trojan.rules)
2825459 - ETPRO TROJAN ZLoader Malicious SSL Cert Observed (trojan.rules)
2825460 - ETPRO MOBILE_MALWARE Android.Adware.Iadpush.C Checkin (mobile_malware.rules)
2825461 - ETPRO CURRENT_EVENTS Successful Excel Online Phish Mar 14 2017 (current_events.rules)

[///]     Modified active rules:     [///]

2014726 - ET POLICY Outdated Windows Flash Version IE (policy.rules)
2821014 - ETPRO WEB_CLIENT suspicious .CAB containing single executable file (observed in maldoc campaign) (web_client.rules)
2825239 - ETPRO TROJAN Lets Encrypt Free SSL Cert Observed in Possible Apple Phishing (trojan.rules)
 

Date: 
Tuesday, March 14, 2017 - 00:00