[***] Summary: [***]
2 new OPEN, 4 new PRO (2 + 2). CoinMiners, Kimsuky Maldoc, CVE-2021-45105
Thanks @ShadowChasing1
There will be no ET release tomorrow and Monday, we will resume normal operations on Tuesday, 12/28.
Check out the EmergingThreats log4j detection page here<https://github.com/EmergingThreats/log4shell-detection>.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2034839 - ET EXPLOIT Possible Apache log4j Uncontrolled Recursion Lookup (CVE-2021-45105) (exploit.rules)
2034840 - ET TROJAN Kimsuky Related Maldoc Retrieving Template (GET) (trojan.rules)
Pro:
2850726 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2021-12-23 1) (trojan.rules)
2850727 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2021-12-23 2) (trojan.rules)
[+++] Enabled and modified rules: [+++]
2034806 - ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228) (exploit.rules)
[///] Modified active rules: [///]
2029829 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)
2029830 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)
2029831 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)
2029832 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)
2029833 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)
2029835 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)
2029836 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)
2031516 - ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M1 (policy.rules)
2031517 - ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M2 (policy.rules)
2031518 - ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M3 (policy.rules)
2031519 - ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M4 (policy.rules)
2031609 - ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M5 (policy.rules)
2033203 - ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) (trojan.rules)
2034237 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)
2034661 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol TCP (CVE-2021-44228) (info.rules)
2034662 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol UDP (CVE-2021-44228) (info.rules)
2034663 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol (upper TCP Bypass) (CVE-2021-44228) (info.rules)
2034664 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol (upper UDP Bypass) (Outbound) (CVE-2021-44228) (info.rules)
2034665 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol (lower TCP Bypass) (CVE-2021-44228) (info.rules)
2034666 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (udp) (CVE-2021-44228) (info.rules)
2034673 - ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (tcp) (CVE-2021-44228) (exploit.rules)
2034674 - ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (CVE-2021-44228) (exploit.rules)
2034716 - ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (tcp) (CVE-2021-44228) (exploit.rules)
2034717 - ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (udp) (CVE-2021-44228) (exploit.rules)
2034750 - ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (udp) (Outbound) (CVE-2021-44228) (exploit.rules)
2034751 - ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (tcp) (Outbound) (CVE-2021-44228) (exploit.rules)
2034783 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol TCP (Outbound) (CVE-2021-44228) (info.rules)
2034784 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol UDP (Outbound) (CVE-2021-44228) (info.rules)
2034785 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol (upper TCP Bypass) (Outbound) (CVE-2021-44228) (info.rules)
2034786 - ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (tcp) (Outbound) (CVE-2021-44228) (exploit.rules)
2034801 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol (upper UDP Bypass) (Outbound) (CVE-2021-44228) (info.rules)
2034802 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol (lower TCP Bypass) (Outbound) (CVE-2021-44228) (info.rules)
2034803 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol (lower UDP Bypass) (Outbound) (CVE-2021-44228) (info.rules)
2034805 - ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (Outbound) (CVE-2021-44228) (exploit.rules)
2803567 - ETPRO POLICY Suspicious User-Agent (LuaSocket) (policy.rules)
2808845 - ETPRO TROJAN Backdoor.Win32.Bifrose.agn Checkin (trojan.rules)
2831005 - ETPRO POLICY Observed Suspicious SSL Cert (Possible KnowBe4 Phish Training) (policy.rules)
2832865 - ETPRO POLICY KnowBe4 Phish Training HTTP Request (policy.rules)
[///] Modified inactive rules: [///]
2029834 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)
2034671 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (CVE-2021-44228) (exploit.rules)
2034672 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (CVE-2021-44228) (exploit.rules)
2034702 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (CVE-2021-44228) (exploit.rules)
2034703 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (CVE-2021-44228) (exploit.rules)
2034804 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228) (exploit.rules)
2034834 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228) (exploit.rules)
2034835 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228) (exploit.rules)
2034836 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228) (exploit.rules)
[---] Disabled rules: [---]
2024930 - ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body (web_server.rules)