Snort rule update for March 18, 2021 — Additional rules to protect against Hafnium attacks

The latest rule update for SNORTⓇ released early this morning via Cisco Talos.

This latest release provides several new rules to protect against attacks from the Hafnium state-sponsored actor. Microsoft first discovered this group a few weeks ago when it disclosed several zero-day vulnerabilities in the Exchange Server software. Hafnium reportedly exploited these vulnerabilities to steal emails, among other malicious actions.

These new rules prevent a web shell upload attempt commonly seen with Hafnium.

Here's a breakdown of today's rule release:

Shared object rules	Modified shared object rules	New rules	Modified rules
11	1	12	2

There were no changes made to the snort.conf in this release.

Talos' rule release:

Talos has added and modified multiple rules in the file-image, file-pdf, malware-backdoor, malware-cnc, netbios, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

You can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. The Snort 3 release is also here after years of development and improvements. Upgrade here.