CERT mailing list archives
AA20-182A: EINSTEIN Data Trends – 30-day Lookback
From: "US-CERT" <US-CERT () ncas us-cert gov>
Date: Tue, 30 Jun 2020 21:17:54 +0000
Cybersecurity and Infrastructure Security Agency Logo National Cyber Awareness System: AA20-182A: EINSTEIN Data Trends 30-day Lookback [ https://www.us-cert.gov/ncas/alerts/aa20-182a ] 06/30/2020 10:34 AM EDT Original release date: June 30, 2020 Summary Cybersecurity and Infrastructure Security Agency (CISA) analysts have compiled the top detection signatures that have been the most active over the month of May in our national Intrusion Detection System (IDS), known as EINSTEIN. This information is meant to give the reader a closer look into what analysts are seeing at the national level and provide technical details on some of the most active threats. IDS is a network tool that uses sensors to monitor inbound and outbound traffic to search for any type of suspicious activity or known threats, alerting analysts when a specific traffic pattern matches with an associated threat. IDS allows users to deploy signatures on these boundary sensors to look for the specific pattern, or network indicator, associated with a known threat. The EINSTEIN Program is an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian government. By collecting information from participating federal government agencies, CISA builds and enhances our Nations cyber-related situational awareness. The signatures CISA created have been included below for analysts across various organizations to use in enhancing their own network defenses.* Note: *CISA has created and tested these signatures in an environment that might not be the same for all organizations, so administrators may need to make changes or updates before using in the following signatures in their local environments. Technical Details "*Note: *the below Snort signatures accounted for over 90 percent of what CISA analysts identified as potential threats using the IDS system for detection." 1. NetSupport Manager RAT Description The NetSupport Manager Remote Access Tool (RAT) is a legitimate program that, once installed on a victims machine, allows remote administrative control. In a malicious context, it canamong many other functionsbe used to steal information. Malicious RATs can be difficult to detect because they do not normally appear in lists of running programs, and they can mimic the behavior of legitimate applications. Examples In January 2020, Palo Alto researchers observed the abuse of NetSupport in targeted phishing email campaigns.[1] [ https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/ ] In November 2019, Zscaler researchers observed software update-themed campaigns tricking users into installing a malicious NetSupport Manager RAT.[2] [ https://www.zscaler.com/blogs/research/netsupport-rat-installed-fake-update-notices ] The earliest malicious use of NetSupport was seen in a phishing email campaignreported by FireEye researchers in April 2018.[3] [ https://www.fireeye.com/blog/threat-research/2018/04/fake-software-update-abuses-netsupport-remote-access-tool.html ] Snort Signature alert tcp any any -> any $HTTP_PORTS (msg:"NetSupportManager:HTTP Client Header contains 'User-Agent|3a 20|NetSupport Manager/'"; flow:established,to_server; flowbits:isnotset,.tagged; content:"User-Agent|3a 20|NetSupport Manager/"; http_header; fast_pattern:only; content:"CMD="; nocase; http_client_body; depth:4; content:"POST"; nocase; http_method; flowbits:set,.; classtype:http-header; reference:url,unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/; reference:url,www.pentestpartners.com/security-blog/how-to-reverse-engineer-a-protocol/; reference:url,github.com/silence-is-best/c2db; 2. Kovter Description Kovter is a fileless Trojan with several variants. This malware started as ransomware that malicious actors used to trick victims into thinking that they need to pay their local police a fine. Cyber actors have also used Kovter to perform click-fraud operations to infect targets and send stolen information from the target machines to command and control servers. Kovters evolving features have allowed this malware to rank among the Center for Internet Securitys most prolific malware year after year.[4] [ https://www.cisecurity.org/blog/top-10-malware-april-2020/ ] See CISAs Webinar on Combatting Ransomware [ https://youtu.be/D8kC07tu27A?t=671 ] for additional information on Kovter. Snort Signature alert tcp any any -> any $HTTP_PORTS (msg:"Kovter:HTTP URI POST to CnC Server";; flow:established,to_server; flowbits:isnotset,.tagged; content:"POST / HTTP/1.1"; depth:15; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; depth:47; fast_pattern; content:"User-Agent|3a 20|Mozilla/"; http_header; content:!"LOADCURRENCY"; nocase; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; nocase; http_header; pcre:"/^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/P"; pcre:"/User-Agent\x3a[^\r\n]+\r\nHost\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a\x20[1-5][0-9]{2,3}\r\n(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n(?:\r\n)?$/H";; classtype:nonstd-tcp;; reference:url,www.malware-traffic-analysis.net/2017/06/29/index2.html; 3. XMRig Description XMRig is a type of cryptocurrency miner that uses the resources of an unsuspecting infected machine to mine Moneroa type of cryptocurrency. XMRig can cause a victim computer to overheat and perform poorly by using additional system resources that would otherwise not be active. Snort Signature alert tcp any any -> any !25 (msg:"XMRIG:Non-Std TCP Client Traffic contains JSONRPC 2.0 Config Data";; flow:established,to_server; flowbits:isnotset; content:"|22|jsonrpc|22 3a 22|2.0|22|"; distance:0; content:"|22|method|22 3a 22|login|22|"; distance:0; content:"|22|agent|22 3a 22|XMRig"; nocase; distance:0; fast_pattern; content:"libuv/"; nocase; distance:0; content:!"|22|login|22 3a 22|x|22|"; flowbits:set,; classtype:nonstd-tcp;; reference:url,malware-traffic-analysis.net/2017/11/12/index.html; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=1101; Mitigations CISA recommends using the following best practices to strengthen the security posture of an organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts. * Maintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code [ https://www.us-cert.gov/ncas/tips/ST18-271 ]. * Ensure systems have the latest security updates. See Understanding Patches and Software Updates [ https://www.us-cert.gov/ncas/tips/ST04-006 ]. * Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication. * Restrict users' permissions to install and run unwanted software applications. Do not add users to the local administrators group unless required. * Enforce a strong password policy. See Choosing and Protecting Passwords [ https://www.us-cert.gov/ncas/tips/ST04-002 ]. * Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments [ https://www.us-cert.gov/ncas/tips/ST04-010 ]. * Enable a personal firewall on agency workstations that is configured to deny unsolicited connection requests. * Disable unnecessary services on agency workstations and servers. * Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header). * Monitor users' web browsing habits; restrict access to sites with unfavorable content. * Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs). * Scan all software downloaded from the internet prior to executing. * Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs). Sign up [ https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ] to receive CISAs alerts on security topics and threats. * Sign up for CISAs free vulnerability scanning and testing services to help organizations secure internet-facing systems from weak configuration and known vulnerabilities. Email vulnerability_info () cisa dhs gov [ https://www.us-cert.govmailto:%20vulnerability_info () cisa dhs gov ] to sign up. See https://www.cisa.gov/cyber-resource-hub for more information about vulnerability scanning and other CISA cybersecurity assessment services. Resources https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/ https://threatpost.com/netsupport-manager-rat-nortonlifelock-docs/153387/ https://www.zdnet.com/article/new-lokibot-trojan-malware-campaign-comes-disguised-as-a-popular-game-launcher/ https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless https://www.varonis.com/blog/what-is-mimikatz/ References * [1] Palo Alto: Cortex XDR Detects New Phishing Campaign Installing NetSupport Manager RAT [ https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/ ] * [2] Zscaler: NetSupport RAT installed via fake update notices [ https://www.zscaler.com/blogs/research/netsupport-rat-installed-fake-update-notices ] * [3] FireEye: Fake Software Update Abuses NetSupport Remote Access Tool [ https://www.fireeye.com/blog/threat-research/2018/04/fake-software-update-abuses-netsupport-remote-access-tool.html ] * [4] Center for Internet Security: Top 10 Malware April 2020 [ https://www.cisecurity.org/blog/top-10-malware-april-2020/ ] Revisions * June 30, 2020: Initial Version ________________________________________________________________________ This product is provided subject to this Notification [ https://www.us-cert.gov/privacy/notification ] and this Privacy & Use [ https://www.dhs.gov/privacy-policy ] policy. body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: normal; font-style: normal; color: #333333; } ________________________________________________________________________ A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () ncas us-cert gov to your address book. OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://www.us-cert.gov/related-resources ] STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Current thread:
- AA20-182A: EINSTEIN Data Trends – 30-day Lookback US-CERT (Jun 30)