[***] Summary: [***]
19 new OPEN, 41 new PRO (19 + 22). Multiple CVE, Magecart, Cobalt
Strike, Win32/SCVReady, Ursnif, SmokeLoader, Various Phish.
Thanks @MBThreatIntel, @malwrhunterteam and @kyleehmke
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2034256 - ET EXPLOIT Possible Apache Shiro 1.2.4 Cookie RememberME
Deserial RCE (CVE-2016-4437) (exploit.rules)
2034257 - ET EXPLOIT Amcrest Camera and NVR Buffer Overflow Attempt
(CVE-2020-5735) (exploit.rules)
2034258 - ET EXPLOIT Apache Solr RCE via Velocity Template M1
(CVE-2019-17558) (exploit.rules)
2034259 - ET EXPLOIT Apache Solr RCE via Velocity Template M2
(CVE-2019-17558) (exploit.rules)
2034260 - ET EXPLOIT Furukawa Electric ConsciusMAP 2.8.1 Java
Deserialization Remote Code Execution (CVE-2020-12133) (exploit.rules)
2034261 - ET EXPLOIT Confluence Server Path Traversal Vulnerability
(CVE-2019-3398) (exploit.rules)
2034262 - ET EXPLOIT Cisco ASA and Firepower Path Traversal
Vulnerability M1 (CVE-2020-3452) (exploit.rules)
2034263 - ET EXPLOIT Cisco ASA and Firepower Path Traversal
Vulnerability M2 (CVE-2020-3452) (exploit.rules)
2034264 - ET TROJAN Recaptcha Magecart Skimmer Domain in DNS Lookup
(magento-plugin .com) (trojan.rules)
2034265 - ET TROJAN Recaptcha Magecart Skimmer Domain in DNS Lookup
(cdn-cgi .net) (trojan.rules)
2034266 - ET TROJAN Recaptcha Magecart Skimmer Domain in DNS Lookup
(trustdomains .net) (trojan.rules)
2034267 - ET TROJAN Cobalt Strike Activity (GET) (trojan.rules)
2034268 - ET TROJAN Suspected Middle East Threat Group Domain in DNS
Lookup (liveupdatedriver .com) (trojan.rules)
2034269 - ET TROJAN Suspected Middle East Threat Group Domain in DNS
Lookup (dnsnamefinder .com) (trojan.rules)
2034270 - ET EXPLOIT PHP Melody v3.0 SQL Injection Attempt (exploit.rules)
2034271 - ET EXPLOIT PHP Melody v3.0 SQL Injection Attempt (exploit.rules)
2034272 - ET CURRENT_EVENTS Successful Generic Credential Phish
Activity POST (current_events.rules)
2034273 - ET CURRENT_EVENTS Generic Credential Phish Activity GET
(current_events.rules)
2034274 - ET CURRENT_EVENTS Successful Generic Credential Phish
Activity POST (current_events.rules)
Pro:
2850296 - ETPRO TROJAN Observed Win32/SCVReady Loader User-Agent
(trojan.rules)
2850297 - ETPRO TROJAN Win32/SCVReady Loader CnC Activity (trojan.rules)
2850298 - ETPRO TROJAN Win32/SCVReady Loader Requesting Payload (trojan.rules)
2850299 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-26 1) (trojan.rules)
2850300 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-26 2) (trojan.rules)
2850301 - ETPRO ACTIVEX CoinMiner Known Malicious Stratum Authline
(2021-10-26 3) (activex.rules)
2850302 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-26 4) (trojan.rules)
2850303 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-26 5) (trojan.rules)
2850304 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-26 6) (trojan.rules)
2850305 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-27 1) (trojan.rules)
2850306 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-27 2) (trojan.rules)
2850307 - ETPRO EXPLOIT Possible FreeBSD NFSv4 Integer Overflow
Inbound (CVE-2018-17157) (exploit.rules)
2850308 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
2850309 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
2850310 - ETPRO TROJAN Ursnif Variant CnC Beacon 15 (trojan.rules)
2850311 - ETPRO TROJAN Ursnif Variant CnC Beacon 16 (trojan.rules)
2850312 - ETPRO TROJAN Ursnif Variant CnC Beacon 17 (trojan.rules)
2850313 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2021-10-27
(current_events.rules)
2850314 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2021-10-26 (current_events.rules)
2850315 - ETPRO CURRENT_EVENTS Successful Swisscom Phish 2021-10-27
(current_events.rules)
2850316 - ETPRO MALWARE Observed SmokeLoader CnC Activity (malware.rules)
2850317 - ETPRO MALWARE Win32/njRAT Variant CnC Activity (9J) (malware.rules)