Daily Ruleset Update Summary 2023/02/06

Daily Ruleset Update Summary

[***] Summary: [***]

22 new OPEN, 23 new PRO (22 + 1)

Thanks @TeamT5_Official, @James_inthe_box, @crep1x, Kevin Ross

The Emerging Threats mailing list is migrating to Discourse. Please
visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2044118 - ET EXPLOIT Possible ImageMagick (7.1.0-49) DOS PNG Upload
Attempt (CVE-2022-44267) (exploit.rules)
2044119 - ET EXPLOIT Possible ImageMagick (7.1.0-49) DOS PNG Observed
Inbound (CVE-2022-44267) (exploit.rules)
2044120 - ET EXPLOIT Possible ImageMagick (7.1.0-49) Arbitrary Remote
Leak PNG Upload Attempt (CVE-2022-44268) (exploit.rules)
2044121 - ET HUNTING Terse Request for Zip File (GET) (hunting.rules)
2044122 - ET MALWARE Suspected NginxSpy Related Request (Inbound)
(malware.rules)
2044123 - ET MALWARE NginxSpy Magic Bytes M2 (Inbound) (malware.rules)
2044124 - ET MALWARE NginxSpy Magic Bytes M1 (Outbound) (malware.rules)
2044127 - ET MALWARE Win32/Gamaredon CnC Activity (GET) (malware.rules)
2044128 - ET MALWARE Win32/Gamaredon CnC Activity (POST) (malware.rules)
2044129 - ET MALWARE Win32/Gamaredon CnC Activity (POST) (malware.rules)
2044130 - ET MALWARE Observed DNS Query to Gamaredon Domain (antargi
.ru) (malware.rules)
2044131 - ET MALWARE Observed DNS Query to Gamaredon Domain (mohsengo
.shop) (malware.rules)
2044132 - ET INFO Ex Libris Library Software DNS Lookup (info.rules)
2044133 - ET MALWARE Win32/RecordBreaker - Observed UA M6
(01785252112) (malware.rules)
2044134 - ET MALWARE Win32/RecordBreaker - Observed UA M7
(1235125521512) (malware.rules)
2044135 - ET MALWARE Win32/RecordBreaker - Observed UA M8
(125122112551) (malware.rules)
2044136 - ET INFO Possible SMTP Data Exfiltration - File Attachment
Named Files.zip (info.rules)
2044137 - ET MALWARE Win32/DarkCloud Variant Exfil over SMTP
(FirefoxCookies.json) (malware.rules)
2044138 - ET MALWARE Win32/Spy.Banker.AAGB Checkin (malware.rules)
2044139 - ET MALWARE Win32/Comrerop Checkin (malware.rules)
2044140 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .samples
.muzikcitysound .com) (malware.rules)
2044141 - ET MALWARE SocGholish Domain in DNS Lookup (telemetry
.usacyberpages .net) (malware.rules)

Pro:

2853333 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2023-02-02 1) (coinminer.rules)

[///] Modified inactive rules: [///]

2020099 - ET WEB_CLIENT Internet Explorer execCommand function Use
after free Vulnerability 0day Metasploit 2 (web_client.rules)
2025091 - ET WEB_CLIENT Adobe Acrobat PDF Reader use after free
JavaScript engine (CVE-2017-16393) (web_client.rules)
2034489 - ET EXPLOIT Tenda OS Command Injection (CVE-2020-10987)
(GET) (exploit.rules)
2043297 - ET MALWARE Observed DNS Query to Xworm Domain (su1d
.nerdpol .ovh) (malware.rules)
2800975 - ETPRO ACTIVEX Internet_Explorer Use after free Vuln Addref
ActiveX CLSID (activex.rules)
2800976 - ETPRO ACTIVEX Internet_Explorer Use after free Vuln Addref
ActiveX ProgID (activex.rules)
2801968 - ETPRO WEB_CLIENT Apple Safari Right-to-Left Text Rendering
Use After Free Vulnerability (Published Exploit) - SET
(web_client.rules)
2801969 - ETPRO WEB_CLIENT Apple Safari Right-to-Left Text Rendering
Use After Free Vulnerability (Published Exploit) (web_client.rules)
2803014 - ETPRO WEB_CLIENT Microsoft Internet Explorer
selection.empty Use After Free (web_client.rules)
2803203 - ETPRO WEB_CLIENT Mozilla Firefox nsTreeRange Use After Free
(web_client.rules)
2803434 - ETPRO WEB_CLIENT Mozilla Firefox OBJECT mChannel Use After
Free Attempt (web_client.rules)
2805782 - ETPRO WEB_CLIENT Microsoft Internet Explorer style object
Use After Free (web_client.rules)
2806004 - ETPRO WEB_CLIENT Microsoft Internet Explorer SetCapture Use
After Free (web_client.rules)
2806009 - ETPRO WEB_CLIENT Microsoft Internet Explorer SLayoutRun Use
After Free (web_client.rules)
2806010 - ETPRO WEB_CLIENT Microsoft Internet Explorer CPasteCommand
Use After Free 1 (web_client.rules)
2806011 - ETPRO WEB_CLIENT Microsoft Internet Explorer CPasteCommand
Use After Free 2 (web_client.rules)
2806012 - ETPRO WEB_CLIENT Microsoft Internet Explorer CPasteCommand
Use After Free 1 (web_client.rules)
2806013 - ETPRO WEB_CLIENT Microsoft Internet Explorer CPasteCommand
Use After Free 2 (web_client.rules)
2806014 - ETPRO WEB_CLIENT Microsoft Internet Explorer CObjectElement
Use After Free (web_client.rules)
2806015 - ETPRO WEB_CLIENT Microsoft Internet Explorer CHTML Use
After Free (web_client.rules)
2806107 - ETPRO WEB_CLIENT Microsoft Internet Explorer OnResize Use
After Free (web_client.rules)
2806108 - ETPRO WEB_CLIENT Microsoft Internet Explorer saveHistory
Use After Free 1 (web_client.rules)
2806109 - ETPRO WEB_CLIENT Microsoft Internet Explorer saveHistory
Use After Free 2 (web_client.rules)
2806110 - ETPRO WEB_CLIENT Microsoft Internet Explorer
CMarkupBehaviorContext Use After Free 1 (web_client.rules)
2806111 - ETPRO WEB_CLIENT Microsoft Internet Explorer
CMarkupBehaviorContext Use After Free 2 (web_client.rules)
2806119 - ETPRO WEB_CLIENT Microsoft Internet Explorer SLayoutRun Use
After Free 2 (web_client.rules)
2807801 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free
(CVE-2014-0298) (web_client.rules)
2808152 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free
(CVE-2014-1802) (web_client.rules)
2808153 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free
(CVE-2014-1804) (web_client.rules)
2808154 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free
(CVE-2014-1804) 2 (web_client.rules)
2808988 - ETPRO WEB_CLIENT Possible Internet Explorer Buffer use
after free CVE-2014-4127 (web_client.rules)
2809722 - ETPRO WEB_CLIENT Possible Internet Explorer Use After Free
(CVE-2015-0021) (web_client.rules)
2809724 - ETPRO WEB_CLIENT Possible Internet Explorer Use After Free
(CVE-2015-0025) (web_client.rules)
2809725 - ETPRO WEB_CLIENT Possible Internet Explorer Use After Free
(CVE-2015-0026) (web_client.rules)
2809738 - ETPRO WEB_CLIENT Internet Explorer Use After Free RCE
(CVE-2015-0045) (web_client.rules)
2809741 - ETPRO WEB_CLIENT Internet Explorer CHTMLEditorProxy Use
After Free (CVE-2015-0049) (web_client.rules)
2809743 - ETPRO WEB_CLIENT Internet Explorer CTreePos Use After Free
(CVE-2015-0053) (web_client.rules)
2809744 - ETPRO WEB_CLIENT Internet Explorer CTreePos Use After Free
(CVE-2015-0067) 1 (web_client.rules)
2809745 - ETPRO WEB_CLIENT Internet Explorer CTreePos Use After Free
(CVE-2015-0067) 2 (web_client.rules)
2809747 - ETPRO WEB_CLIENT Internet Explorer CTreePos Use After Free
(CVE-2015-0068) 2 (web_client.rules)
2810969 - ETPRO WEB_CLIENT Possible Internet Explorer CTitleElement
Use After Free (CVE-2015-1714) (web_client.rules)
2814826 - ETPRO WEB_CLIENT IE Use After Free (CVE-2015-6064) (web_client.rules)
2814827 - ETPRO WEB_CLIENT IE Use After Free (CVE-2015-6065) (web_client.rules)
2815704 - ETPRO WEB_CLIENT MSIE Use After Free Exploit Attempt
(CVE-2016-0002) (web_client.rules)
2821580 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After Free
(CVE-2016-3322) (web_client.rules)
2822541 - ETPRO EXPLOIT Adobe Acrobat Reader Use After Free
(CVE-2016-6946) (exploit.rules)
2822543 - ETPRO EXPLOIT Flash Player Use After Free (CVE-2016-6981)
(exploit.rules)
2823141 - ETPRO WEB_CLIENT Possible Microsoft Internet Explorer
mshtml.dll Use After Free Vulnerability (CVE-2016-7196)
(web_client.rules)
2824318 - ETPRO WEB_CLIENT Possible Acrobat Reader JS Use After Free
(CVE-2017-2955) (web_client.rules)
2824319 - ETPRO WEB_CLIENT Possible Acrobat Reader JS Use After Free
(CVE-2017-2957) (web_client.rules)
2824320 - ETPRO WEB_CLIENT Possible Acrobat Reader JS Use After Free
(CVE-2017-2958) (web_client.rules)
2825859 - ETPRO WEB_CLIENT Possible Adobe Reader CVE-2017-3014 Use
After Free (web_client.rules)
2825865 - ETPRO WEB_CLIENT Possible Adobe Reader Use After Free
CVE-2017-3027 (web_client.rules)
2825877 - ETPRO WEB_CLIENT Adobe Reader Use After Free CVE-2017-3047
(web_client.rules)
2825881 - ETPRO WEB_CLIENT Adobe Reader Use After Free CVE-2017-3057
(web_client.rules)
2827444 - ETPRO WEB_CLIENT Adobe Reader Use After Free CVE-2017-3113
(web_client.rules)
2829545 - ETPRO EXPLOIT Adobe Flash Use After Free (CVE-2018-4878)
(exploit.rules)
2829617 - ETPRO EXPLOIT Adobe Flash Use After Free (CVE-2018-4877)
(exploit.rules)
2829970 - ETPRO EXPLOIT Adobe Flash Use After Free (CVE-2018-4919)
(exploit.rules)
2830892 - ETPRO EXPLOIT Acrobat Use After Free (CVE-2018-4952) (exploit.rules)
2830893 - ETPRO EXPLOIT Acrobat Use After Free (CVE-2018-4954) (exploit.rules)

[---] Disabled and modified rules: [---]

2839423 - ETPRO EXPLOIT_KIT PurpleFox EK Framework Certificate
Observed (exploit_kit.rules)

Date:

Monday, February 6, 2023

Summary title:

22 new OPEN, 23 new PRO (22 + 1)