BOOK AN APPOINTMENT WITH AN IT SPECIALIST TODAY

30 Jun 2020

AA20-182A: EINSTEIN Data Trends – 30-day Lookback

Original release date: June 30, 2020

Summary

Cybersecurity and Infrastructure Security Agency (CISA) analysts have compiled the top detection signatures that have been the most active over the month of May in our national Intrusion Detection System (IDS), known as EINSTEIN. This information is meant to give the reader a closer look into what analysts are seeing at the national level and provide technical details on some of the most active threats.

IDS is a network tool that uses sensors to monitor inbound and outbound traffic to search for any type of suspicious activity or known threats, alerting analysts when a specific traffic pattern matches with an associated threat. IDS allows users to deploy signatures on these boundary sensors to look for the specific pattern, or network indicator, associated with a known threat.

The EINSTEIN Program is an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian government. By collecting information from participating federal government agencies, CISA builds and enhances our Nation’s cyber-related situational awareness.

The signatures CISA created have been included below for analysts across various organizations to use in enhancing their own network defenses. Note: CISA has created and tested these signatures in an environment that might not be the same for all organizations, so administrators may need to make changes or updates before using in the following signatures in their local environments.

Technical Details

Note: the below Snort signatures accounted for over 90 percent of what CISA analysts identified as potential threats using the IDS system for detection.

1. NetSupport Manager RAT

Description

The NetSupport Manager Remote Access Tool (RAT) is a legitimate program that, once installed on a victim’s machine, allows remote administrative control. In a malicious context, it can—among many other functions—be used to steal information. Malicious RATs can be difficult to detect because they do not normally appear in lists of running programs, and they can mimic the behavior of legitimate applications.

Examples

In January 2020, Palo Alto researchers observed the abuse of NetSupport in targeted phishing email campaigns.[1] In November 2019, Zscaler researchers observed “software update-themed” campaigns tricking users into installing a malicious NetSupport Manager RAT.[2] The earliest malicious use of NetSupport was seen in a phishing email campaign—reported by FireEye researchers in April 2018.[3]

Snort Signature

alert tcp any any -> any $HTTP_PORTS (msg:"NetSupportManager:HTTP Client Header contains 'User-Agent|3a 20|NetSupport Manager/'"; flow:established,to_server; flowbits:isnotset,.tagged; content:"User-Agent|3a 20|NetSupport Manager/"; http_header; fast_pattern:only; content:"CMD="; nocase; http_client_body; depth:4; content:"POST"; nocase; http_method; flowbits:set,.; classtype:http-header; reference:url,unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/; reference:url,www.pentestpartners.com/security-blog/how-to-reverse-engineer-a-protocol/; reference:url,github.com/silence-is-best/c2db;

2. Kovter

Description

Kovter is a fileless Trojan with several variants. This malware started as ransomware that malicious actors used to trick victims into thinking that they need to pay their local police a fine. Cyber actors have also used Kovter to perform click-fraud operations to infect targets and send stolen information from the target machines to command and control servers. Kovter’s evolving features have allowed this malware to rank among the Center for Internet Security’s most prolific malware year after year.[4] See CISA’s Webinar on Combatting Ransomware for additional information on Kovter.

Snort Signature

alert tcp any any -> any $HTTP_PORTS (msg:"Kovter:HTTP URI POST to CnC Server";; flow:established,to_server; flowbits:isnotset,.tagged; content:"POST / HTTP/1.1"; depth:15; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; depth:47; fast_pattern; content:"User-Agent|3a 20|Mozilla/"; http_header; content:!"LOADCURRENCY"; nocase; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; nocase; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; pcre:"/User-Agentx3a[^rn]+rnHostx3ax20(?:d{1,3}.){3}d{1,3}rnContent-Lengthx3ax20[1-5][0-9]{2,3}rn(?:Cache-Control|Pragma)x3a[^rn]+rn(?:rn)?$/H";; classtype:nonstd-tcp;; reference:url,www.malware-traffic-analysis.net/2017/06/29/index2.html;

3. XMRig

Description

XMRig is a type of cryptocurrency miner that uses the resources of an unsuspecting infected machine to mine Monero—a type of cryptocurrency. XMRig can cause a victim computer to overheat and perform poorly by using additional system resources that would otherwise not be active.

Snort Signature

alert tcp any any -> any !25 (msg:"XMRIG:Non-Std TCP Client Traffic contains JSONRPC 2.0 Config Data";; flow:established,to_server; flowbits:isnotset; content:"|22|jsonrpc|22 3a 22|2.0|22|"; distance:0; content:"|22|method|22 3a 22|login|22|"; distance:0; content:"|22|agent|22 3a 22|XMRig"; nocase; distance:0; fast_pattern; content:"libuv/"; nocase; distance:0; content:!"|22|login|22 3a 22|x|22|"; flowbits:set,; classtype:nonstd-tcp;; reference:url,malware-traffic-analysis.net/2017/11/12/index.html; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=1101;

Mitigations

CISA recommends using the following best practices to strengthen the security posture of an organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code.
  • Ensure systems have the latest security updates. See Understanding Patches and Software Updates.
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ permissions to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
  • Enforce a strong password policy. See Choosing and Protecting Passwords.
  • Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
  • Enable a personal firewall on agency workstations that is configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
  • Scan all software downloaded from the internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs). Sign up to receive CISA’s alerts on security topics and threats.
  • Sign up for CISA’s free vulnerability scanning and testing services to help organizations secure internet-facing systems from weak configuration and known vulnerabilities. Email vulnerability_info@cisa.dhs.gov to sign up. See https://www.cisa.gov/cyber-resource-hub for more information about vulnerability scanning and other CISA cybersecurity assessment services.

Resources

https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/
https://threatpost.com/netsupport-manager-rat-nortonlifelock-docs/153387/
https://www.zdnet.com/article/new-lokibot-trojan-malware-campaign-comes-disguised-as-a-popular-game-launcher/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless
https://www.varonis.com/blog/what-is-mimikatz/

References

Revisions

  • June 30, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

More Like This

AA21-265A: Conti Ransomware

Original release date: September 22, 2021 Summary Immediate Actions You Can Take Now to Protect Against Conti Ransomware • Use multi-factor authentication. • Segment and segregate networks and functions. • Update your operating system and software. Note: This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 9. See the ATT&CK …

AA21-265A: Conti Ransomware Read More »

Read More

Are You Planning to Download Windows 11 Free Update?

Are You Planning to Download Windows 11 Free Update? Here’s a Quick Guide Microsoft’s new operating system has generated considerable interest from users and tech experts. Windows 11 brings many key new features that enhance the overall user experience. From October 5, 2021, Microsoft will roll out the update to eligible Windows 7 and 10 …

Are You Planning to Download Windows 11 Free Update? Read More »

Read More

AA21-259A: APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus

Original release date: September 16, 2021 Summary This Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 8. See the ATT&CK for Enterprise for  referenced threat actor tactics and for techniques. This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), United States …

AA21-259A: APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus Read More »

Read More

If You Own These Four Small Business Cisco Routers: It’s Time to Replace Them

If You Own These Four Small Business Cisco Routers: It’s Time to Replace Them A security flaw discovered in RV110W, RV130, RV130W, and RV215W Cisco routers creates significant vulnerabilities. Traditionally, these UPnP (universal plug and play) routers would receive security updates from the vendor. However, Cisco recently announced that it has no plans to release …

If You Own These Four Small Business Cisco Routers: It’s Time to Replace Them Read More »

Read More

Do You Want to Speed Up Your Computer?

Do You Want to Speed Up Your Computer? Here are Top Tips A slow computer can undermine productivity and become a source of frustration. Fortunately, there are several ways to boost speed and overall performance, irrespective of whether your computer is relatively new or older. You can achieve the desired performance by following specific tips …

Do You Want to Speed Up Your Computer? Read More »

Read More

AA21-243A: Ransomware Awareness for Holidays and Weekends

Original release date: August 31, 2021 Summary Immediate Actions You Can Take Now to Protect Against Ransomware • Make an offline backup of your data. • Do not click on suspicious links. • If you use RDP, secure and monitor it. • Update your OS and software. • Use strong passwords. • Use multi-factor authentication. …

AA21-243A: Ransomware Awareness for Holidays and Weekends Read More »

Read More