Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/07/29

[***] Summary: [***]

12 new OPEN, 68 new PRO (12 + 56). Lemon_Duck, BazaLoader, Multiple
Exploit/CVE.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033609 - ET TROJAN Lemon_Duck CnC Domain in DNS Lookup (trojan.rules)
2033610 - ET TROJAN Lemon_Duck CnC Domain in DNS Lookup (trojan.rules)
2033611 - ET TROJAN Lemon_Duck CnC Domain in DNS Lookup (trojan.rules)
2033612 - ET TROJAN Lemon_Duck CnC Domain in DNS Lookup (trojan.rules)
2033613 - ET TROJAN Lemon_Duck CnC Domain in DNS Lookup (trojan.rules)
2033614 - ET TROJAN Lemon_Duck CnC Domain in DNS Lookup (trojan.rules)
2033615 - ET TROJAN Lemon_Duck CnC Domain in DNS Lookup (trojan.rules)
2033616 - ET TROJAN Lemon_Duck CnC Domain in DNS Lookup (trojan.rules)
2033617 - ET TROJAN Lemon_Duck CnC Domain in DNS Lookup (trojan.rules)
2033618 - ET TROJAN Lemon_Duck CnC Domain in DNS Lookup (trojan.rules)
2033619 - ET TROJAN Lemon_Duck CnC Domain in DNS Lookup (trojan.rules)
2033620 - ET TROJAN Lemon_Duck CnC Domain in DNS Lookup (trojan.rules)

Pro:

2849421 - ETPRO TROJAN BazaLoader CnC Activity 2021-07-27 (trojan.rules)
2849432 - ETPRO WEB_SPECIFIC_APPS YouPHPTube checkConfiguration.php
Remote Code Execution Inbound (CVE-2019-16124)
(web_specific_apps.rules)
2849433 - ETPRO DOS Possible Nginx 0-Length Headers Leak Denial of
Service Inbound (CVE-2019-9516) (dos.rules)
2849434 - ETPRO EXPLOIT Possible Apache Kylin REST API migrateCube
Command Injection Inbound (CVE-2020-1956) (exploit.rules)
2849435 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-28 1) (trojan.rules)
2849436 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-28 2) (trojan.rules)
2849437 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-28 3) (trojan.rules)
2849438 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-28 4) (trojan.rules)
2849439 - ETPRO EXPLOIT Possible Generic Java Deserialization
Attempt M1 (exploit.rules)
2849440 - ETPRO EXPLOIT Generic ysoserial Java Deserialization
Attempt over TCP M1 (exploit.rules)
2849441 - ETPRO EXPLOIT Generic ysoserial Java Deserialization
Attempt over TCP M2 (exploit.rules)
2849442 - ETPRO EXPLOIT Possible ysoserial CommonsCollections Java
Deserialization Attempt over TCP M1 (exploit.rules)
2849443 - ETPRO EXPLOIT Possible ysoserial CommonsCollections Java
Deserialization Attempt over TCP M2 (exploit.rules)
2849444 - ETPRO EXPLOIT Possible ysoserial CommonsCollections Java
Deserialization Attempt over TCP M3 (exploit.rules)
2849445 - ETPRO EXPLOIT Possible ysoserial Groovy Java
Deserialization Attempt over TCP M1 (exploit.rules)
2849446 - ETPRO EXPLOIT Possible ysoserial Clojure Java
Deserialization Attempt over TCP M1 (exploit.rules)
2849447 - ETPRO EXPLOIT Possible ysoserial Click Java
Deserialization Attempt over TCP M1 (exploit.rules)
2849448 - ETPRO EXPLOIT Possible ysoserial Hibernate1 Java
Deserialization Attempt over TCP M1 (exploit.rules)
2849449 - ETPRO EXPLOIT Possible ysoserial Hibernate2 Java
Deserialization Attempt over TCP M1 (exploit.rules)
2849450 - ETPRO EXPLOIT Possible ysoserial JavassistWeld1 Java
Deserialization Attempt over TCP M1 (exploit.rules)
2849451 - ETPRO EXPLOIT Possible ysoserial JBossInterceptors1 Java
Deserialization Attempt over TCP M1 (exploit.rules)
2849452 - ETPRO EXPLOIT Possible ysoserial JRMPClient Java
Deserialization Attempt over TCP M1 (exploit.rules)
2849453 - ETPRO EXPLOIT Possible ysoserial JSON1 Java
Deserialization Attempt over TCP M1 (exploit.rules)
2849454 - ETPRO EXPLOIT Possible ysoserial MozillaRhino Java
Deserialization Attempt over TCP M1 (exploit.rules)
2849455 - ETPRO EXPLOIT Possible ysoserial Myfaces1 Java
Deserialization Attempt over TCP M1 (exploit.rules)
2849456 - ETPRO EXPLOIT Possible ysoserial Spring Java
Deserialization Attempt over TCP M1 (exploit.rules)
2849457 - ETPRO EXPLOIT Possible ysoserial URLDNS Java
Deserialization Attempt over TCP M1 (exploit.rules)
2849458 - ETPRO EXPLOIT Possible Generic Java Deserialization
Attempt M2 (exploit.rules)
2849459 - ETPRO EXPLOIT Generic ysoserial Java Deserialization
Attempt over TCP M3 (exploit.rules)
2849460 - ETPRO EXPLOIT Generic ysoserial Java Deserialization
Attempt over TCP M4 (exploit.rules)
2849461 - ETPRO EXPLOIT Possible ysoserial CommonsCollections Java
Deserialization Attempt over TCP M4 (exploit.rules)
2849462 - ETPRO EXPLOIT Possible ysoserial CommonsCollections Java
Deserialization Attempt over TCP M5 (exploit.rules)
2849463 - ETPRO EXPLOIT Possible ysoserial CommonsCollections Java
Deserialization Attempt over TCP M6 (exploit.rules)
2849464 - ETPRO EXPLOIT Possible ysoserial Groovy Java
Deserialization Attempt over TCP M2 (exploit.rules)
2849465 - ETPRO EXPLOIT Possible ysoserial Clojure Java
Deserialization Attempt over TCP M2 (exploit.rules)
2849466 - ETPRO EXPLOIT Possible ysoserial Click Java
Deserialization Attempt over TCP M2 (exploit.rules)
2849467 - ETPRO EXPLOIT Possible ysoserial Hibernate1 Java
Deserialization Attempt over TCP M2 (exploit.rules)
2849468 - ETPRO EXPLOIT Possible ysoserial Hibernate2 Java
Deserialization Attempt over TCP M2 (exploit.rules)
2849469 - ETPRO EXPLOIT Possible ysoserial JavassistWeld1 Java
Deserialization Attempt over TCP M2 (exploit.rules)
2849470 - ETPRO EXPLOIT Possible ysoserial JBossInterceptors1 Java
Deserialization Attempt over TCP M2 (exploit.rules)
2849471 - ETPRO EXPLOIT Possible ysoserial JRMPClient Java
Deserialization Attempt over TCP M2 (exploit.rules)
2849472 - ETPRO EXPLOIT Possible ysoserial JSON1 Java
Deserialization Attempt over TCP M2 (exploit.rules)
2849473 - ETPRO EXPLOIT Possible ysoserial MozillaRhino Java
Deserialization Attempt over TCP M2 (exploit.rules)
2849474 - ETPRO EXPLOIT Possible ysoserial Myfaces1 Java
Deserialization Attempt over TCP M2 (exploit.rules)
2849475 - ETPRO EXPLOIT Possible ysoserial Spring Java
Deserialization Attempt over TCP M2 (exploit.rules)
2849476 - ETPRO EXPLOIT Possible ysoserial URLDNS Java
Deserialization Attempt over TCP M2 (exploit.rules)
2849477 - ETPRO DOS Dovecot Submission-Login and LMTP Infinite Loop
Denial-of-Service Inbound (CVE-2020-7046) (dos.rules)
2849478 - ETPRO EXPLOIT Gila CMS Image Upload Remote Code Execution
Inbound (CVE-2020-5514) (exploit.rules)
2849479 - ETPRO EXPLOIT Microsoft Windows SMBv3 Compression Remote
Code Execution Inbound (CVE-2020-0796) (exploit.rules)
2849480 - ETPRO TROJAN Observed Malicious SSL Cert
(WebMonitor/RevCode RAT CnC) (trojan.rules)
2849481 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (Generic
Webmail Phish) (current_events.rules)
2849483 - ETPRO EXPLOIT Possible VMware Multiple Products
Configurator Command Injection Inbound (CVE-2020-4006) (exploit.rules)
2849484 - ETPRO MALWARE Metaquotes Setup Activity (malware.rules)
2849485 - ETPRO EXPLOIT Sonatype Nexus Repository Manager
ConstraintViolationFactory EL Injection Inbound (CVE-2020-10199)
(exploit.rules)
2849486 - ETPRO EXPLOIT Possible Generic Java Deserialization
Attempt M3 (exploit.rules)
2849487 - ETPRO EXPLOIT Veeam ONE XML External Entity Injection
Inbound (CVE-2020-15418/CVE-2020-15419) (exploit.rules)

[---] Disabled and modified rules: [---]

2024772 - ET TROJAN [PTsecurity] Malicious SSL connection (Upatre
Downloader CnC) cert (trojan.rules)
2024773 - ET TROJAN [PTsecurity] Malicious SSL connection (Upatre
Downloader CnC) 0 (trojan.rules)
2024774 - ET TROJAN [PTsecurity] Malicious SSL connection (Upatre
Downloader CnC) 1 (trojan.rules)
2024775 - ET TROJAN [PTsecurity] Malicious SSL connection (Upatre
Downloader CnC) 2 (trojan.rules)
2024776 - ET TROJAN [PTsecurity] Malicious SSL connection (Upatre
Downloader CnC) 3 (trojan.rules)
2024777 - ET TROJAN [PTsecurity] Malicious SSL connection (Upatre
Downloader CnC) 4 (trojan.rules)
2024778 - ET TROJAN [PTsecurity] Malicious SSL connection (Upatre
Downloader CnC) 5 (trojan.rules)

[---] Removed rules: [---]

2030263 - ET EXPLOIT Possible Attempted SMB RCE Exploitation M1
(CVE-2020-0796) (exploit.rules)
2030264 - ET EXPLOIT Possible Attempted SMB RCE Exploitation M2
(CVE-2020-0796) (exploit.rules)
2841453 - ETPRO EXPLOIT Possible SMBv3 Exploitation Attempt
(CVE-2020-0796) (exploit.rules)
2849421 - ETPRO MALWARE BazaLoader CnC Activity 2021-07-27 (malware.rules)

Date:
Summary title:
12 new OPEN, 68 new PRO (12 + 56). Lemon_Duck, BazaLoader, Multiple Exploit/CVE.