Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/11/22

[***] Summary: [***]

14 new OPEN, 26 new PRO (14 + 12). CVE-2021-41277, CVE-2021-42321,
CobaltStrike, Candiru, Varrious Others.

Thanks @TalosSecurity, @ESETresearch

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034518 - ET WEB_SPECIFIC_APPS Metabase Local File Inclusion Inbound
(CVE-2021-41277) (web_specific_apps.rules)
2034519 - ET EXPLOIT Microsoft Exchange Delete User Configuration - xbit
set 1 (CVE-2021-42321) (exploit.rules)
2034520 - ET EXPLOIT Microsoft Exchange Create User Configuration - xbit
set 2 (CVE-2021-42321) (exploit.rules)
2034521 - ET EXPLOIT Possible Microsoft Exchange Server Remote Code
Execution Inbound (CVE-2021-42321) (exploit.rules)
2034522 - ET TROJAN Candiru Related Domain in DNS Lookup (llink .link)
(trojan.rules)
2034523 - ET TROJAN Candiru Related Domain in DNS Lookup (cuturl .app)
(trojan.rules)
2034524 - ET TROJAN Candiru Related Domain in DNS Lookup (url-tiny .co)
(trojan.rules)
2034525 - ET TROJAN Candiru Related Domain in DNS Lookup (bitly .tel)
(trojan.rules)
2034526 - ET TROJAN Candiru Related Domain in DNS Lookup (instagrarn .co)
(trojan.rules)
2034527 - ET TROJAN Candiru Related Domain in DNS Lookup (cuturl .space)
(trojan.rules)
2034528 - ET TROJAN Cobalt Strike Activity (GET) (trojan.rules)
2034529 - ET TROJAN Cobalt Strike Activity (GET) (trojan.rules)
2034530 - ET EXPLOIT Possible FatPipe Unrestricted File Upload
(exploit.rules)
2034531 - ET EXPLOIT FatPipe Unrestricted File Upload (exploit.rules)

Pro:

2850527 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-18 1) (trojan.rules)
2850528 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-18 2) (trojan.rules)
2850529 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-18 3) (trojan.rules)
2850530 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-18 4) (trojan.rules)
2850531 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-18 5) (trojan.rules)
2850532 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-18 6) (trojan.rules)
2850533 - ETPRO INFO Brandfetch API Usage for Custom Logo M1 (info.rules)
2850534 - ETPRO INFO Brandfetch API Usage for Custom Logo M2 (info.rules)
2850535 - ETPRO INFO RiteKit API Usage for Custom Logo (info.rules)
2850536 - ETPRO INFO Klazify API Usage for Custom Logo (info.rules)
2850537 - ETPRO TROJAN CobaltStrike Malleable C2 Beacon (Chrome Omnibox)
(trojan.rules)
2850538 - ETPRO TROJAN Trojan-Downloader.MSIL File Download Request
(trojan.rules)

[///] Modified active rules: [///]

2029180 - ET TROJAN Win32/BlackNET CnC Requesting Command (trojan.rules)
2032527 - ET TROJAN Parallax CnC Response Activity M14 (trojan.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
14 new OPEN, 26 new PRO (14 + 12). CVE-2021-41277, CVE-2021-42321, CobaltStrike, Candiru, Varrious Others.