Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/10/28

[***] Summary: [***]

14 new OPEN, 18 new PRO (14 + 4). ThunderN.A, ApoioViewer, TinyNuke, CloudAtlas, DonotGroup, Sabsik, Cisco/Citrix/D-Link Vulnerabilities, Raccoon Stealer.

Thanks: @Jane_0stin, @vxunderground, @h2jazi

Proofpoint is looking to hire a Product Manager to oversee the Emerging Threats products group. Interested? Check out the posting here<https://proofpoint.wd5.myworkdayjobs.com/ProofpointCareers/job/Sunnyval…;, and reach out with any questions.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034275 - ET TROJAN Win32.Application.ThunderN.A Checkin (trojan.rules)

2034276 - ET POLICY Observed ApoioViewer Remote Access Tool Domain (apoioviewer .com in TLS SNI) (policy.rules)

2034277 - ET EXPLOIT Cisco IP Phones Web Server Vulnerability (CVE-2020-3161) (exploit.rules)

2034278 - ET EXPLOIT Cisco RV320/RV325 RCE (CVE-2019-1653) (exploit.rules)

2034279 - ET EXPLOIT Citrix App Delivery Controller and Citrix Gateway M1 (CVE-2019-19781) (exploit.rules)

2034280 - ET EXPLOIT D-Link DIR-825 R1 Web Interface RCE (CVE-2020-29557) (exploit.rules)

2034281 - ET TROJAN TinyNuke VNC Checkin (trojan.rules)

2034282 - ET TROJAN Observed CloudAtlas APT Related Domain (checklicensekey .com in TLS SNI) (trojan.rules)

2034283 - ET TROJAN CloudAtlas APT Related CnC Domain in DNS Lookup (checklicensekey .com) (trojan.rules)

2034284 - ET TROJAN CloudAtlas APT Maldoc Activity (GET) (trojan.rules)

2034285 - ET TROJAN Observed DonotGroup Maldoc Related Domain (digitalresolve .live in TLS SNI) (trojan.rules)

2034286 - ET TROJAN DonotGroup Maldoc Related Domain in DNS Lookup (digitalresolve .live) (trojan.rules)

2034287 - ET TROJAN DonotGroup Maldoc Activity (GET) (trojan.rules)

2034288 - ET TROJAN Win32/Sabsik Config Downloader (trojan.rules)

Pro:

2850318 - ETPRO CURRENT_EVENTS Successful BBVA Phish 2021-10-28 (current_events.rules)

2850319 - ETPRO MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (telegalive .top) (malware.rules)

2850320 - ETPRO MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (ttmirror .top) (malware.rules)

2850321 - ETPRO MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (teletele .top) (malware.rules)

[///] Modified active rules: [///]

2033750 - ET EXPLOIT Possible Pulse Secure VPN RCE Chain Stage 1 Inbound - Request Config Backup (CVE-2020-8260) (exploit.rules)

2033751 - ET EXPLOIT Possible Pulse Secure VPN RCE Chain Stage 2 Inbound - Upload Malicious Config (CVE-2020-8260) (exploit.rules)

2847819 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-03-25 (current_events.rules)

Date:
Summary title:
14 new OPEN, 18 new PRO (14 + 4). ThunderN.A, ApoioViewer, TinyNuke, CloudAtlas, DonotGroup, Sabsik, Cisco/Citrix/D-Link Vulnerabilities, Raccoon Stealer.