The latest rule update for SNORTⓇ released early this morning via Cisco Talos.
This latest release provides several new rules to protect against attacks from the Hafnium state-sponsored actor. Microsoft first discovered this group a few weeks ago when it disclosed several zero-day vulnerabilities in the Exchange Server software. Hafnium reportedly exploited these vulnerabilities to steal emails, among other malicious actions.
These new rules prevent a web shell upload attempt commonly seen with Hafnium.
Here's a breakdown of today's rule release:
|Shared object rules||Modified shared object rules||New rules||Modified rules|
snort.confin this release.
Talos' rule release:
Talos has added and modified multiple rules in the file-image, file-pdf, malware-backdoor, malware-cnc, netbios, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.