Cisco Talos Update for FireSIGHT Management Center

Date: 2020-05-21

This SRU number: 2020-05-20-001
Previous SRU number: 2020-05-18-001

Applies to:

This SEU number: 2167
Previous SEU: 2166

Applies to:

This is the complete list of rules added in SRU 2020-05-20-001 and SEU 2167.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Cisco Talos policy, Connectivity, Balanced, Security, and Maximum Detection.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.Max.
154013MALWARE-OTHERWin.Trojan.Ursnif malicious outbound connection attempt - gravity generated detectionoffdropdropdrop
154014MALWARE-CNCWin.Malware.Trickbot variant outbound connectionoffdropdropdrop
154015MALWARE-OTHERWin.Dropper.Bifrost-7846624-0 download attemptoffoffdropdrop
154016MALWARE-OTHERWin.Dropper.Bifrost-7846624-0 download attemptoffoffdropdrop
154017MALWARE-OTHERWin.Packed.Dorkbot-7847299-0 download attemptoffoffoffdrop
154018MALWARE-OTHERWin.Packed.Dorkbot-7847299-0 download attemptoffoffoffdrop
154019MALWARE-CNCWin.Trojan.ApolloZeus Loader beaconing attemptoffoffoffdrop
154020MALWARE-OTHERWin.Trojan.Hancitor COVID-19 subject phishing email attemptoffdropdropdrop
154021MALWARE-CNCWin.Trojan.Andariel outbound connection attemptoffdropdropdrop
154022SERVER-OTHERSaltStack authentication bypass attemptoffoffdropdrop
154023SERVER-OTHERSaltStack authentication bypass attemptoffoffdropdrop
354024POLICY-OTHERCisco Unified Contact Center Express vulnerable Java RMI class access detectedoffoffoffoff
354025POLICY-OTHERCisco Unified Contact Center Express vulnerable Java RMI class access detectedoffoffoffoff
354026POLICY-OTHERCisco Unified Contact Center Express vulnerable Java RMI class access detectedoffoffoffoff
354027POLICY-OTHERCisco Unified Contact Center Express vulnerable Java RMI class access detectedoffoffoffoff
354028INDICATOR-SHELLCODEJava RMI deserialization exploit attemptdropdropdropdrop
154029MALWARE-CNCWin.Malware.Rifdoor outbound cnc registration attemptoffoffdropdrop
154030SERVER-OTHERSaltStack wheel directory traversal attemptoffoffdropdrop
154031SERVER-OTHERSaltStack wheel directory traversal attemptoffoffdropdrop
154032SERVER-OTHERSaltStack wheel directory traversal attemptoffoffdropdrop
154033SERVER-OTHERSaltStack wheel directory traversal attemptoffoffdropdrop
Medium Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.Max.
354034SERVER-OTHERCisco Prime Network Registrar denial of service attemptoffoffdropdrop