Daily Ruleset Update Summary 2021/12/21

Daily Ruleset Update Summary

[***] Summary: [***]

24 new OPEN, 35 new PRO (24 + 11). More CVE-2021-44228, OWOWA Stealer, CoinMiners

Thanks @Securelist, @James_inthe_box

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034813 - ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern (trojan.rules)

2034814 - ET POLICY Vulnerable Java Version 14.0.x Detected (policy.rules)

2034815 - ET POLICY Vulnerable Java Version 15.0.x Detected (policy.rules)

2034816 - ET POLICY Vulnerable Java Version 16.0.x Detected (policy.rules)

2034817 - ET POLICY Vulnerable Java Version 17.0.x Detected (policy.rules)

2034818 - ET POLICY Serialized Java Object returned via LDAPv3 Response (policy.rules)

2034819 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (log4j .binaryedge .io) (attack_response.rules)

2034820 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (log4shell .huntress .com) (attack_response.rules)

2034821 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (kryptoslogic-cve-2021-44228 .com) (attack_response.rules)

2034822 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (ceye .io) (attack_response.rules)

2034823 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (oob .li) (attack_response.rules)

2034824 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (pwn .af) (attack_response.rules)

2034825 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (notburpcollaborator .net) (attack_response.rules)

2034826 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (scannermcscanface-edgescan .com) (attack_response.rules)

2034827 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (service .exfil .site) (attack_response.rules)

2034828 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (scanworld .net) (attack_response.rules)

2034829 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (dns .cyberwar .nl) (attack_response.rules)

2034830 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (log .exposedbotnets .ru) (attack_response.rules)

2034831 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (leakix .net) (attack_response.rules)

2034832 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (canarytokens .com) (attack_response.rules)

2034833 - ET TROJAN OWOWA Stealer CnC Domain in DNS Lookup (trojan.rules)

2034834 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/17 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228) (exploit.rules)

2034835 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/17 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228) (exploit.rules)

2034836 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/17 Obfuscation Observed (Outbound) (CVE-2021-44228) (exploit.rules)

Pro:

2850708 - ETPRO CURRENT_EVENTS Successful Union Bank of the Philippines OTP Phish 2021-12-21 (current_events.rules)

2850709 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2021-12-21 1) (trojan.rules)

2850710 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2021-12-21 2) (trojan.rules)

2850711 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2021-12-21 3) (trojan.rules)

2850712 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2021-12-21 5) (trojan.rules)

2850713 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2021-12-21 6) (trojan.rules)

2850714 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2021-12-21 7) (trojan.rules)

2850715 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2021-12-21 8) (trojan.rules)

2850716 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2021-12-21 9) (trojan.rules)

2850717 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2021-12-21 10) (trojan.rules)

2850718 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2021-12-21 11) (trojan.rules)

[///] Modified active rules: [///]

2034670 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (bingsearchlib .com) (attack_response.rules)

2034747 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (rce .ee) (attack_response.rules)

2034770 - ET POLICY JavaClass Returned Via Anonymous Outbound LDAPv3 Bind Request (policy.rules)

[---] Disabled rules: [---]

2034804 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/17 Obfuscation Observed (Outbound) (CVE-2021-44228) (exploit.rules)

2034806 - ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/17 Obfuscation Observed (Outbound) (CVE-2021-44228) (exploit.rules)

[---] Removed rules: [---]

2832193 - ETPRO TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern (trojan.rules)

2850579 - ETPRO TROJAN Emotet CnC Beacon (trojan.rules)

Date:

Tuesday, December 21, 2021

Summary title:

24 new OPEN, 35 new PRO (24 + 11). More CVE-2021-44228, OWOWA Stealer, CoinMiners