Thursday, December 12, 2019

Snort rule update for Dec. 12, 2019

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains 28 new rules, eight modified rules, three new shared object rules and one modified shared object rule.

This rule set provides new coverage for several malware families, including variants of the Mimikatz credential-stealing tool, the DoppelPaymer ransomware and attacks from the Gamaredon APT.

Talos has added and modified multiple rules in the browser-firefox, browser-ie, exploit-kit, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, malware-other, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.

We would also like to highlight two specific sets of rules:

  • 52445 - 52448: These rules prevent a variant of malware from the Gamaredon APT from making outbound connections during its various phases. The hacking group, which has been active since 2013, recently started a wave of attacks in Ukraine against government agencies, journalists and military branches. Security researchers say these attacks were still active as of Dec. 6 after starting around mid-September. Joanne Kim wrote these rules.
  • 52427 - 52429: These rules protect against a variant of the DoppelPaymer ransomware. Talos recently discovered a command and control server that held DoppelPaymer files, and Microsoft recently released an alert, warning users of the ransomware. There have been misleading reports that DoppelPaymer is spread through the infamous "BlueKeep" exploit, though Microsoft researchers say that is not true. Kristen Houser wrote these rules.

You can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. Make sure and stay up to date to catch the most emerging threats.