Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Authors Alex Cox

RSA NetWitness Platform

3 Posts authored by: Alex Cox Employee

We are pleased to announce the addition of threat indicators directly from RSA's world class Incident Response team.   These indicators include Domains and IPs that are sourced from Incident Response activities in a variety of ways:

 

- Direct observation during RSA Incident Response engagements

- Related indicators developed via malware, DNS, and whois analysis

- 3rd Party Indicators with connections to RSA IR activity

 

These indicators can be loaded into Security Analytics by subscribing to the following feeds in RSA Live:

 

RSA FirstWatch Command and Control Domains

RSA FirstWatch Command and Control IPs

 

The following pivot can be used to located hits to these indicators in the Security Analytics UI:

 

threat.source = "rsa ir indicators"

 

Thanks and Happy Hunting!

 

RSA FirstWatch

You asked and we listened! 

 

Ransomware continues to be a significant threat to our customers, so this is a very timely addition.  Abuse.ch has added a ransomeware tracker which tracks the following families of ransomware:

 

TeslaCrypt

CryptoWall

TorrentLocker

PadCrypt

Locky

CTB-Locker

FAKBEN

PayCrypt

 

We’ve added these indicators to the following feeds in LIVE:

 

Third Party IOC Domains

Third Party IOC IPs

 

They can be located with the following pivot in the Security Analytics UI:

 

Threat.category = “abuse.ch ransomware”

 

Happy Hunting!

 

RSA-FirstWatch

You may have seen press coverage this week relating to a Microsoft Outlook Web Access
(OWA) attack.  The originating report was published by Cybereason, which can
be found here:  http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Labs-Analysis-Webmail-Sever-APT.pdf

 

In short, attackers of a Cybereason client installed a malicious .dll file which
was used by OWA as part of the authentication mechanism…. Authenticating users
against the Active Directory server.  It also installed an ISAPI filter
into the IIS server and was filtering HTTP requests.  Once installed, the
malware wrote all usernames and passwords to an encrypted .txt file on the C
Drive.  Then it passively waited for instructions from the attackers via
HTTPS.

 

Microsoft responded to the report and has claimed that a properly deployed and secured
Exchange Server is NOT susceptible to the referenced attacks.  http://blogs.technet.com/b/exchange/archive/2015/10/07/no-new-security-vulnerability-in-outlook-web-access-owa.aspx,

 

Unfortunately,  Cybereason has not shared the malware for creation of signatures or hashes.
They have explained that the malware is custom to the victim, so traditional
endpoint signatures would likely not work anyway.  Further, there is no
known C2 domains or IP addresses, as the malware was apparently discovered
prior to responding to additional commands.

 

Cybereason did reveal, however, the name of the malicious file: OWAAUTH.DLL

 

An RSA ECAT customer can use the Global Module List to CTRL-F search for that
file name: OWAAUTH.DLL

 

If the file(s) appear without a valid Microsoft signature, you may have been
compromised by this attack and should begin response procedures. 
If the
attacker followed the same protocol as the Cybereason report outlined, there is
also an encrypted file named log.txt, stored in C:\.  It may contain lots
of domain credentials, so should be treated accordingly.

Filter Blog

By date: By tag: