Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/07/16

[***] Summary: [***]

19 new OPEN, 31 new PRO (19 + 12) Gasket, Chisel, Mespinoza,
Sonicwall SMA and SRA Exploits, CVE-2021-31250, and DTLoader.

Thanks @ThingzEye, @malwrhunterteam, @ConnectWise

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033338 - ET SCAN Baidu Spider Webcrawler User Agent - inbound (scan.rules)
2033339 - ET TROJAN Gasket CnC Checkin (trojan.rules)
2033340 - ET TROJAN Gasket Requesting Commands from CnC (trojan.rules)
2033341 - ET TROJAN Gasket Submitting Logs to CnC (trojan.rules)
2033342 - ET POLICY Chisel SOCKS Proxy Startup Observed (policy.rules)
2033343 - ET TROJAN Mespinoza Ransomware - Pre-Encryption File Exfil
to CnC (trojan.rules)
2033344 - ET TROJAN Observed Elysium Stealer Variant CnC Domain
(all-brain-company .xyz in TLS SNI) (trojan.rules)
2033345 - ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SMA
Authentication Bypass (management) (CVE-2021-20016) (exploit.rules)
2033346 - ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SMA
User-Level Authentication Bypass (sslvpnclient) (CVE-2021-20016)
(exploit.rules)
2033347 - ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SMA
User-Level Authentication Bypass (portal) (CVE-2021-20016)
(exploit.rules)
2033348 - ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SRA SQLi
(CVE-2019-7481) (exploit.rules)
2033349 - ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M1
(exploit.rules)
2033350 - ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M2
(exploit.rules)
2033351 - ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M3
(exploit.rules)
2033352 - ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M4
(exploit.rules)
2033353 - ET EXPLOIT Stored XSS and Webpass IoT devices
CVE-2021-31643 (exploit.rules)
2033354 - ET POLICY External IP Address Request via wttr .in (policy.rules)
2033355 - ET INFO Windows Powershell User-Agent Usage (info.rules)
2033356 - ET TROJAN DTLoader Binary Request M2 (trojan.rules)

Pro:

2849311 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2849312 - ETPRO TROJAN TrickBot Related Activity (GET) (trojan.rules)
2849313 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-15 1) (trojan.rules)
2849314 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-15 2) (trojan.rules)
2849315 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-15 3) (trojan.rules)
2849316 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-15 4) (trojan.rules)
2849317 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-15 5) (trojan.rules)
2849318 - ETPRO CURRENT_EVENTS Successful RBFCU Phish 2021-07-16
(current_events.rules)
2849319 - ETPRO CURRENT_EVENTS Successful Chase Phish 2021-07-16
(current_events.rules)
2849320 - ETPRO INFO Suspicious Multiple Dashes in HTTP URI
(Possible Exfil) (info.rules)
2849321 - ETPRO INFO Suspicious Multiple Spaces in HTTP URI
(Possible Exfil) (info.rules)
2849322 - ETPRO INFO Incorrect User-Agent Header (UserAgent) (info.rules)

[///] Modified active rules: [///]

2009486 - ET TROJAN APT1 WEBC2-UGX Related Pingbed/Downbot
User-Agent (Windows+NT+5.x) (trojan.rules)
2033172 - ET TROJAN ReverseRAT Activity (POST) M4 (trojan.rules)
2832389 - ETPRO POLICY External IP Lookup Service (sohu .com
cityjson) (policy.rules)
2839790 - ETPRO INFO Windows BITS UA Retrieving EXE (info.rules)
2842588 - ETPRO INFO Windows BITS UA Retrieving EXE M2 (info.rules)
2843841 - ETPRO TROJAN YAHOOYLO Stealer CnC Activity (trojan.rules)

[---] Disabled and modified rules: [---]

2835362 - ETPRO CURRENT_EVENTS MalDoc Requesting EXE Payload
2019-03-14 (current_events.rules)

[---] Removed rules: [---]

2033002 - ET SCAN Baidu Spider Webcrawler User Agent - inbound (scan.rules)

Date:
Summary title:
19 new OPEN, 31 new PRO (19 + 12) Gasket, Chisel, Mespinoza, Sonicwall SMA and SRA Exploits, CVE-2021-31250, and DTLoader.