Tuesday, July 23, 2019

Snort rule update for July, 23, 2019

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

This release contains six new rules — two of which are shared object rules, as well as two modified rules.

Thursday's release provides protection against a vulnerability in Windows win32k that attackers have exploited in the wild.

Talos has added and modified multiple rules in the file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Here are several important rules we would like to highlight:
  • 50771: This rule fires when the AZORult trojan attempts to make an outbound connection to its command and control server. Attackers recently began spreading AZORult through a series of phony cheat codes for video games, such as "CounterStrike: Go and Player Unknown's Battlegrounds. Once installed, the trojan attempts to steal users' passwords. This rule was written by Tim Muniz.
  • 50777, 50778: Both of these rules provide coverage for a previously disclosed vulnerability in Windows' win32k.sys component. The escalation of privilege bug, identified as CVE‑2019‑1132, was exploited in a series of targeted attacks in Eastern Europe. These rules activate when a user attempts to corrupt a machine's memory using this vulnerability. Rules were written by Joanne Kim.
You can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. Make sure and stay up to date to catch the most emerging threats