CERT mailing list archives

Previous By Date Next
Previous By Thread Next

AA20-182A: EINSTEIN Data Trends – 30-day Lookback

From: "US-CERT" <US-CERT () ncas us-cert gov>
Date: Tue, 30 Jun 2020 21:17:54 +0000
Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:



AA20-182A: EINSTEIN Data Trends  30-day Lookback [ https://www.us-cert.gov/ncas/alerts/aa20-182a ] 06/30/2020 10:34 AM 
EDT 
Original release date: June 30, 2020

Summary

Cybersecurity and Infrastructure Security Agency (CISA) analysts have compiled the top detection signatures that have 
been the most active over the month of May in our national Intrusion Detection System (IDS), known as EINSTEIN. This 
information is meant to give the reader a closer look into what analysts are seeing at the national level and provide 
technical details on some of the most active threats.

IDS is a network tool that uses sensors to monitor inbound and outbound traffic to search for any type of suspicious 
activity or known threats, alerting analysts when a specific traffic pattern matches with an associated threat. IDS 
allows users to deploy signatures on these boundary sensors to look for the specific pattern, or network indicator, 
associated with a known threat.

The EINSTEIN Program is an automated process for collecting, correlating, analyzing, and sharing computer security 
information across the federal civilian government. By collecting information from participating federal government 
agencies, CISA builds and enhances our Nations cyber-related situational awareness.

The signatures CISA created have been included below for analysts across various organizations to use in enhancing 
their own network defenses.* Note: *CISA has created and tested these signatures in an environment that might not be 
the same for all organizations, so administrators may need to make changes or updates before using in the following 
signatures in their local environments.

Technical Details

"*Note: *the below Snort signatures accounted for over 90 percent of what CISA analysts identified as potential threats 
using the IDS system for detection."

1. NetSupport Manager RAT

Description

The NetSupport Manager Remote Access Tool (RAT) is a legitimate program that, once installed on a victims machine, 
allows remote administrative control. In a malicious context, it canamong many other functionsbe used to steal 
information. Malicious RATs can be difficult to detect because they do not normally appear in lists of running 
programs, and they can mimic the behavior of legitimate applications.

Examples

In January 2020, Palo Alto researchers observed the abuse of NetSupport in targeted phishing email campaigns.[1] [ 
https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/ ] In November 2019, Zscaler 
researchers observed software update-themed campaigns tricking users into installing a malicious NetSupport Manager 
RAT.[2] [ https://www.zscaler.com/blogs/research/netsupport-rat-installed-fake-update-notices ] The earliest malicious 
use of NetSupport was seen in a phishing email campaignreported by FireEye researchers in April 2018.[3] [ 
https://www.fireeye.com/blog/threat-research/2018/04/fake-software-update-abuses-netsupport-remote-access-tool.html ]

Snort Signature
alert tcp any any -> any $HTTP_PORTS (msg:"NetSupportManager:HTTP Client Header contains 'User-Agent|3a 20|NetSupport 
Manager/'"; flow:established,to_server; flowbits:isnotset,.tagged; content:"User-Agent|3a 20|NetSupport Manager/"; 
http_header; fast_pattern:only; content:"CMD="; nocase; http_client_body; depth:4; content:"POST"; nocase; http_method; 
flowbits:set,.; classtype:http-header; 
reference:url,unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/; 
reference:url,www.pentestpartners.com/security-blog/how-to-reverse-engineer-a-protocol/; 
reference:url,github.com/silence-is-best/c2db; 
2. Kovter

Description

Kovter is a fileless Trojan with several variants. This malware started as ransomware that malicious actors used to 
trick victims into thinking that they need to pay their local police a fine. Cyber actors have also used Kovter to 
perform click-fraud operations to infect targets and send stolen information from the target machines to command and 
control servers. Kovters evolving features have allowed this malware to rank among the Center for Internet Securitys 
most prolific malware year after year.[4] [ https://www.cisecurity.org/blog/top-10-malware-april-2020/ ] See CISAs 
Webinar on Combatting Ransomware [ https://youtu.be/D8kC07tu27A?t=671 ] for additional information on Kovter.

Snort Signature
alert tcp any any -> any $HTTP_PORTS (msg:"Kovter:HTTP URI POST to CnC Server";; flow:established,to_server; 
flowbits:isnotset,.tagged; content:"POST / HTTP/1.1"; depth:15; content:"Content-Type|3a 
20|application/x-www-form-urlencoded"; http_header; depth:47; fast_pattern; content:"User-Agent|3a 20|Mozilla/"; 
http_header; content:!"LOADCURRENCY"; nocase; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; 
content:!"Cookie|3a|"; nocase; http_header; 
pcre:"/^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/P"; 
pcre:"/User-Agent\x3a[^\r\n]+\r\nHost\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a\x20[1-5][0-9]{2,3}\r\n(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n(?:\r\n)?$/H";;
 classtype:nonstd-tcp;; reference:url,www.malware-traffic-analysis.net/2017/06/29/index2.html; 
3. XMRig

Description

XMRig is a type of cryptocurrency miner that uses the resources of an unsuspecting infected machine to mine Moneroa 
type of cryptocurrency. XMRig can cause a victim computer to overheat and perform poorly by using additional system 
resources that would otherwise not be active.

Snort Signature
alert tcp any any -> any !25 (msg:"XMRIG:Non-Std TCP Client Traffic contains JSONRPC 2.0 Config Data";; 
flow:established,to_server; flowbits:isnotset; content:"|22|jsonrpc|22 3a 22|2.0|22|"; distance:0; 
content:"|22|method|22 3a 22|login|22|"; distance:0; content:"|22|agent|22 3a 22|XMRig"; nocase; distance:0; 
fast_pattern; content:"libuv/"; nocase; distance:0; content:!"|22|login|22 3a 22|x|22|"; flowbits:set,; 
classtype:nonstd-tcp;; reference:url,malware-traffic-analysis.net/2017/11/12/index.html; 
reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=1101; 
Mitigations

CISA recommends using the following best practices to strengthen the security posture of an organization's systems. Any 
configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted 
impacts.


  * Maintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code [ 
https://www.us-cert.gov/ncas/tips/ST18-271 ]. 
  * Ensure systems have the latest security updates. See Understanding Patches and Software Updates [ 
https://www.us-cert.gov/ncas/tips/ST04-006 ]. 
  * Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory 
authentication. 
  * Restrict users' permissions to install and run unwanted software applications. Do not add users to the local 
administrators group unless required. 
  * Enforce a strong password policy. See Choosing and Protecting Passwords [ 
https://www.us-cert.gov/ncas/tips/ST04-002 ]. 
  * Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be 
known. See Using Caution with Email Attachments [ https://www.us-cert.gov/ncas/tips/ST04-010 ]. 
  * Enable a personal firewall on agency workstations that is configured to deny unsolicited connection requests. 
  * Disable unnecessary services on agency workstations and servers. 
  * Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the 
extension matches the file header). 
  * Monitor users' web browsing habits; restrict access to sites with unfavorable content. 
  * Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs). 
  * Scan all software downloaded from the internet prior to executing. 
  * Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs). Sign up 
[ https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ] to receive CISAs alerts on security topics and 
threats. 
  * Sign up for CISAs free vulnerability scanning and testing services to help organizations secure internet-facing 
systems from weak configuration and known vulnerabilities. Email vulnerability_info () cisa dhs gov [ 
https://www.us-cert.govmailto:%20vulnerability_info () cisa dhs gov ] to sign up. See 
https://www.cisa.gov/cyber-resource-hub for more information about vulnerability scanning and other CISA cybersecurity 
assessment services. 

Resources

https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/
https://threatpost.com/netsupport-manager-rat-nortonlifelock-docs/153387/
https://www.zdnet.com/article/new-lokibot-trojan-malware-campaign-comes-disguised-as-a-popular-game-launcher/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless
https://www.varonis.com/blog/what-is-mimikatz/

References

  * [1] Palo Alto: Cortex XDR Detects New Phishing Campaign Installing NetSupport Manager RAT [ 
https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/ ] 
  * [2] Zscaler: NetSupport RAT installed via fake update notices [ 
https://www.zscaler.com/blogs/research/netsupport-rat-installed-fake-update-notices ] 
  * [3] FireEye: Fake Software Update Abuses NetSupport Remote Access Tool [ 
https://www.fireeye.com/blog/threat-research/2018/04/fake-software-update-abuses-netsupport-remote-access-tool.html ] 
  * [4] Center for Internet Security: Top 10 Malware April 2020 [ 
https://www.cisecurity.org/blog/top-10-malware-april-2020/ ] 

Revisions

  * June 30, 2020: Initial Version 
________________________________________________________________________

This product is provided subject to this Notification [ https://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ https://www.dhs.gov/privacy-policy ] policy.

body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: normal; font-style: normal; color: 
#333333; } 



________________________________________________________________________

A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book. 

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ]  

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Previous By Date Next
Previous By Thread Next

Current thread: