Skip to content
    October 8, 2024

    September 2024 Product Release Notes

    Summary

    In September, we introduced new system-level notifications to warn users when a Cloud Connector has stopped logging so they can fix the problem as soon as possible. We also packed 14 new detection rules into our detection suite, along with even more threat intelligence to boost your security coverage. Check out the details below!

    Feature and Platform Updates

    • New System Notifications: Cloud Connector health notifications are now available to users in all Blumira editions. If enabled, you will be notified when your Cloud Connectors encounter a persisting error status or cannot complete their initial setup so you can take action to fix the connector and resume logging. You can edit your personal settings on the Notification Settings page. Learn more about the available options here.

      More Threat Feed Data: We’ve updated the threat feeds we use to provide you with threat alerts and blocking capabilities, adding DFIR Report intelligence that covers these command and control frameworks: DCRAT, AsyncRAT, Viper, PupyRAT, Havoc, and More_eggs.

      New Global Report: “Microsoft 365 - Global Admin Role Assignments” is a new global report for users looking to track net new Global Admin role assignments in Microsoft 365.

    Detection Updates

    Log Type Detection Details

    All traffic data types

    NEW - DFIR Report: AsyncRAT Command and Control

    This command and control traffic is likely related to AsyncRAT infrastructure. AsyncRAT is a remote access trojan. For more information about AsyncRAT, see the GitHub repository.

    Default state: Enabled

    All traffic data types

    NEW - DFIR Report: DcRAT Command and Control

    This command and control traffic is likely related to DcRAT infrastructure. DcRAT is a remote access trojan known for initial access operations. For more information about DcRAT, see the GitHub repository or this post from Blackberry.

    Default state: Enabled

    All traffic data types

    NEW - DFIR Report: Havoc Command and Control

    This command and control traffic is likely related to Havoc infrastructure. Havoc is a command and control framework. For more information about Havoc, see the GitHub repository.

    Default state: Enabled

    All traffic data types

    NEW - DFIR Report: More_eggs Command and Control

    This command and control traffic is likely related to More_eggs infrastructure. More_eggs is a JavaScript backdoor trojan. For more information about More_eggs, see this post from MITRE.

    Default state: Enabled

    All traffic data types

    NEW - DFIR Report: Pupy Command and Control

    This command and control traffic is likely related to Pupy infrastructure. Pupy is a free and open-source remote access tool and post-exploitation framework. For more information about Pupy, see the GitHub repository or this post from AHN Labs.

    Default state: Enabled

    All traffic data types

    NEW - DFIR Report: Viper Command and Control

    This command and control traffic is likely related to Viper infrastructure. Viper is a free and open-source modular offensive security multi-tool, similar to Metasploit, that can be used across stages in intrusions including command and control, discovery, lateral movement, and impact. For more information about DcRAT, see the GitHub repository.

    Default state: Enabled

    Azure AD

    NEW - Azure: SQL Firewall Rule Created

    Because it's nice to know when your Azure tenant may be opening SQL up!

    Default state: Disabled; must be enabled by an administrator

    Azure AD

    NEW - Azure: SQL Firewall Rule Deleted

    Probably not as risky of a detection as “Firewall Rule Created,” but it's nice to have parity. 😉

    Default state: Disabled; must be enabled by an administrator

    GCP Cloud Audit

    NEW - Google Cloud Platform: API Key Generated

    A user has created or requested the creation of an API key within your Google Cloud Platform (GCP) tenant. This can be part of the normal admin or operational lifecycle within GCP. Threat actors have been increasingly observed using API keys to maintain persistence within cloud environments.

    Default state: Enabled

    GCP Cloud Audit

    NEW - Google Cloud Platform: Secret Created in Secret Manager

    A user in your Google Cloud Platform tenant has created or requested to create a new secret.

    Default state: Disabled; must be enabled by an administrator

    MS365 AD

    NEW - Microsoft 365: SsoArtifactRevoked Failed Login

    Detects when a user has failed to log in to Microsoft 365 services and the resultant error indicates the session was denied due to a bad password (either expired or recently changed). These events can also be related to conditional access policies denying a login. We have seen evidence of this activity in Business Email Compromise during our research.

    Default state: Disabled; must be enabled by an administrator

    Windows or Blumira Agent

    NEW - ESX Admin Group Creation or Modification

    A domain group named "ESX Admins" has been created or modified in Active Directory. This detection identifies the following activities:

    • Domain group created and titled "ESX Admins"

    • Renaming an existing domain group to "ESX Admins"

    • Adding users to the "ESX Admins" group

    While this may be legitimate administrative activity, it should still be accounted for. Threat actors have been observed taking advantage of a vulnerability using these groups via CVE-2024-37085.

    Default state: Enabled

    Windows or Blumira Agent

    NEW - Suspicious Windows Defender Registry Key Tampering via Reg.exe

    Administrators and administrative software may modify Windows Defender registry keys while installing antivirus. Threat actors may tamper with Windows Defender registry keys to attempt to disable protection and detection features during adversarial activity and malware deployment. For more information, see Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours.

    Default state: Enabled

    Windows, Blumira Agent for Windows, Blumira Agent for Linux, Blumira Agent for Mac

    NEW - Network Tunneling Tool: Chisel

    Chisel is a free and open source network tunneling tool that can be used to establish tunnels for various protocols over HTTP for legitimate business uses like enabling remote access. These tools can also be used to bypass network security controls, obscure malicious activities, or exfiltrate sensitive data if used by threat actors who have gained unauthorized access to a system or network.

    To learn more, see the following resources:

    Default state: Enabled

    August Release Notes

    In case you missed the August updates, you can find and review those notes here.

    More from the blog

    View All Posts