Daily Ruleset Update Summary 2021/09/23

Daily Ruleset Update Summary

[***] Summary: [***]

9 new OPEN, 17 new PRO (9 + 8). Multiple CVE, APT/FamousSparrow,
TinyTurla, BazaLoader, Win32/NitroStealer/exoStub.

Thanks @ESETresearch

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034012 - ET TROJAN MirrorBlast Checkin (trojan.rules)
2034013 - ET TROJAN MSIL/Monitor.PCTattletale.A Checkin (POST) (trojan.rules)
2034014 - ET EXPLOIT Pulse Secure Post-Auth OS Command Injection
(CVE-2019-11539) (exploit.rules)
2034015 - ET TROJAN APT/FamousSparrow Activity (POST) (trojan.rules)
2034016 - ET TROJAN APT/FamousSparrow CnC Domain in DNS Lookup
(credits.offices-analytics .com) (trojan.rules)
2034017 - ET EXPLOIT Nagios XI Post-Auth Path Traversal
(CVE-2021-37343) (exploit.rules)
2034018 - ET TROJAN TinyTurla CnC Activity (trojan.rules)
2034019 - ET POLICY Possible Autodiscover Credentials Leak via Basic
Auth (policy.rules)
2034020 - ET TROJAN JS/Spy.Agent.AW Download (trojan.rules)

Pro:

2850032 - ETPRO TROJAN MSIL/TrojanDownloader.Agent.IUJ User-Agent
(trojan.rules)
2850033 - ETPRO TROJAN BazaLoader Activity (GET) (trojan.rules)
2850034 - ETPRO TROJAN Win32/Remcos RAT Checkin 752 (trojan.rules)
2850035 - ETPRO MALWARE BazaLoader Activity (POST) (malware.rules)
2850036 - ETPRO TROJAN Suspected BazaLoader Activity (GET) (trojan.rules)
2850037 - ETPRO TROJAN Win32/NitroStealer/exoStub CnC Exfil M2 (trojan.rules)
2850038 - ETPRO TROJAN Suspected BazaLoader Activity M2 (GET) (trojan.rules)
2850039 - ETPRO TROJAN Suspected BazaLoader Activity (POST) (trojan.rules)

[///] Modified active rules: [///]

2020505 - ET TROJAN Win32.Sality.3 Checkin (trojan.rules)
2027904 - ET EXPLOIT Pulse Secure SSL VPN - Arbitrary File Read
(CVE-2019-11510) (exploit.rules)
2030804 - ET EXPLOIT Possible Pulse Secure VPN RCE Inbound
(CVE-2020-8218) (exploit.rules)
2032904 - ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request
(CVE-2021-22893) M1 (exploit.rules)
2032905 - ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request
(CVE-2021-22893) M2 (exploit.rules)
2032906 - ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request
(CVE-2021-22893) M3 (exploit.rules)
2033749 - ET INFO Pulse Secure VPN Version Disclosure Attempt (info.rules)
2033750 - ET EXPLOIT Possible Pulse Secure VPN RCE Chain Stage 1
Inbound - Request Config Backup (CVE-2020-8260) (exploit.rules)
2033751 - ET EXPLOIT Possible Pulse Secure VPN RCE Chain Stage 2
Inbound - Upload Malicious Config (CVE-2020-8260) (exploit.rules)
2033752 - ET EXPLOIT Possible Pulse Secure VPN RCE Chain Stage 3
Inbound - Execute Mal Config Trigger (CVE-2020-8260) (exploit.rules)
2033753 - ET EXPLOIT Pulse Secure VPN RCE Chain Stage 3 Inbound -
Execute Mal Config Trigger, PoC Based (CVE-2020-8260) (exploit.rules)
2849913 - ETPRO TROJAN Generic AsyncRAT Style SSL Cert (trojan.rules)
2850031 - ETPRO EXPLOIT VMWare vCenter - Server Responded to Request
For Path Vulnerable to RCE (CVE-2021-22005) (exploit.rules)

[---] Removed rules: [---]

2849899 - ETPRO TROJAN MirrorBlast Checkin (trojan.rules)

Date:

Thursday, September 23, 2021

Summary title:

9 new OPEN, 17 new PRO (9 + 8). Multiple CVE, APT/FamousSparrow, TinyTurla, BazaLoader, Win32/NitroStealer/exoStub.