Cybersecurity and Infrastructure Security Agency (CISA) analysts have compiled the top detection signatures that have been the most active over the month of May in our national Intrusion Detection System (IDS), known as EINSTEIN. This information is meant to give the reader a closer look into what analysts are seeing at the national level and provide technical details on some of the most active threats.
IDS is a network tool that uses sensors to monitor inbound and outbound traffic to search for any type of suspicious activity or known threats, alerting analysts when a specific traffic pattern matches with an associated threat. IDS allows users to deploy signatures on these boundary sensors to look for the specific pattern, or network indicator, associated with a known threat.
The EINSTEIN Program is an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian departments and agencies. By collecting information from participating federal departments and agencies, CISA builds and enhances our Nation’s cyber-related situational awareness.
The signatures CISA created have been included below for analysts across various organizations to use in enhancing their own network defenses.**Note:**CISA has created and tested these signatures in an environment that might not be the same for all organizations, so administrators may need to make changes or updates before using in the following signatures in their local environments.
**Note:**the below Snort signatures accounted for over 90 percent of what CISA analysts identified as potential threats using the IDS system for detection.
The NetSupport Manager Remote Access Tool (RAT) is a legitimate program that, once installed on a victim’s machine, allows remote administrative control. In a malicious context, it can—among many other functions—be used to steal information. Malicious RATs can be difficult to detect because they do not normally appear in lists of running programs, and they can mimic the behavior of legitimate applications.
In January 2020, Palo Alto researchers observed the abuse of NetSupport in targeted phishing email campaigns.[1] In November 2019, Zscaler researchers observed “software update-themed” campaigns tricking users into installing a malicious NetSupport Manager RAT.[2] The earliest malicious use of NetSupport was seen in a phishing email campaign—reported by FireEye researchers in April 2018.[3]
alert tcp any any -> any $HTTP_PORTS (msg:"NetSupportManager:HTTP Client Header contains 'User-Agent|3a 20|NetSupport Manager/'"; flow:established,to_server; flowbits:isnotset,.tagged; content:"User-Agent|3a 20|NetSupport Manager/"; http_header; fast_pattern:only; content:"CMD="; nocase; http_client_body; depth:4; content:"POST"; nocase; http_method; flowbits:set,.; classtype:http-header; reference:url,unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/; reference:url,www.pentestpartners.com/security-blog/how-to-reverse-engineer-a-protocol/; reference:url,github.com/silence-is-best/c2db;
Kovter is a fileless Trojan with several variants. This malware started as ransomware that malicious actors used to trick victims into thinking that they need to pay their local police a fine. Cyber actors have also used Kovter to perform click-fraud operations to infect targets and send stolen information from the target machines to command and control servers. Kovter’s evolving features have allowed this malware to rank among the Center for Internet Security’s most prolific malware year after year.[4] See CISA’s Webinar on Combatting Ransomware for additional information on Kovter.
alert tcp any any -> any $HTTP_PORTS (msg:"Kovter:HTTP URI POST to CnC Server";; flow:established,to_server; flowbits:isnotset,.tagged; content:"POST / HTTP/1.1"; depth:15; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; depth:47; fast_pattern; content:"User-Agent|3a 20|Mozilla/"; http_header; content:!"LOADCURRENCY"; nocase; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; nocase; http_header; pcre:"/^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/P"; pcre:"/User-Agent\x3a[^\r\n]+\r\nHost\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a\x20[1-5][0-9]{2,3}\r\n(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n(?:\r\n)?$/H";; classtype:nonstd-tcp;; reference:url,www.malware-traffic-analysis.net/2017/06/29/index2.html;
XMRig is a type of cryptocurrency miner that uses the resources of an unsuspecting infected machine to mine Monero—a type of cryptocurrency. XMRig can cause a victim computer to overheat and perform poorly by using additional system resources that would otherwise not be active.
alert tcp any any -> any !25 (msg:"XMRIG:Non-Std TCP Client Traffic contains JSONRPC 2.0 Config Data";; flow:established,to_server; flowbits:isnotset; content:"|22|jsonrpc|22 3a 22|2.0|22|"; distance:0; content:"|22|method|22 3a 22|login|22|"; distance:0; content:"|22|agent|22 3a 22|XMRig"; nocase; distance:0; fast_pattern; content:"libuv/"; nocase; distance:0; content:!"|22|login|22 3a 22|x|22|"; flowbits:set,; classtype:nonstd-tcp;; reference:url,malware-traffic-analysis.net/2017/11/12/index.html; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=1101;
CISA recommends using the following best practices to strengthen the security posture of an organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Resources
<https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/>
<https://threatpost.com/netsupport-manager-rat-nortonlifelock-docs/153387/>
<https://www.varonis.com/blog/what-is-mimikatz/>
[1] Palo Alto: Cortex XDR™ Detects New Phishing Campaign Installing NetSupport Manager RAT
[2] Zscaler: NetSupport RAT installed via fake update notices
[3] FireEye: Fake Software Update Abuses NetSupport Remote Access Tool
[4] Center for Internet Security: Top 10 Malware April 2020
June 30, 2020: Initial Version
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new
threatpost.com/netsupport-manager-rat-nortonlifelock-docs/153387/
twitter.com/CISAgov
twitter.com/intent/tweet?text=EINSTEIN%20Data%20Trends%20%E2%80%93%2030-day%20Lookback%20+https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-182a
unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/
unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/
unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/
www.cisa.gov/cyber-resource-hub
www.cisecurity.org/blog/top-10-malware-april-2020/
www.cisecurity.org/blog/top-10-malware-april-2020/
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-182a&title=EINSTEIN%20Data%20Trends%20%E2%80%93%2030-day%20Lookback%20
www.fireeye.com/blog/threat-research/2018/04/fake-software-update-abuses-netsupport-remote-access-tool.html
www.fireeye.com/blog/threat-research/2018/04/fake-software-update-abuses-netsupport-remote-access-tool.html
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-182a
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-182a
www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless
www.us-cert.gov/ncas/tips/ST04-002
www.us-cert.gov/ncas/tips/ST04-006
www.us-cert.gov/ncas/tips/ST04-010
www.us-cert.gov/ncas/tips/ST18-271
www.usa.gov/
www.varonis.com/blog/what-is-mimikatz/
www.whitehouse.gov/
www.youtube.com/@cisagov
www.zdnet.com/article/new-lokibot-trojan-malware-campaign-comes-disguised-as-a-popular-game-launcher/
www.zscaler.com/blogs/research/netsupport-rat-installed-fake-update-notices
www.zscaler.com/blogs/research/netsupport-rat-installed-fake-update-notices
youtu.be/D8kC07tu27A?t=671
mailto:?subject=EINSTEIN%20Data%20Trends%20%E2%80%93%2030-day%20Lookback%20&body=www.cisa.gov/news-events/cybersecurity-advisories/aa20-182a