We believe that creating and investing in an ecosystem of technology partners is imperative in delivering better business outcomes for our customers. Sharing threat intelligence and insights across ISACs, ISAOs, and other communities also depend on this collaboration.
<h3><strong>Scanbox</strong> the APT javacript exploitation framework originally reported by our friends at <a href="https://www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks">AlienVault</a> has recently been discovered targeting US think tanks, Industrial, Engineering and Aerospace companies and other random targets such as a korean hospitality site and specific groups within China with politic tensions. </h3><p>Scanbox was designed to be a modular, re-usable javascript based exploit kit. It allows lesser sophisticated attackers to first compromise a website using basic attacks such as SQL injection or Wordpress bugs and set up a waterhole attack to infect hundreds to thousand of victims that visit that website. We are seeing a rise in the re-usable exploit frameworks developed by more sophisticated attacker allowing C level military hacking teams to come out of initial training and be highly effective with these toolkits.</p><h3><a href="https://ui.threatstream.com/registration">ThreatStream OPTIC</a> is currently tracking over 135 IOC's related to Scanbox waterhole attacks. </h3><p>Also the following Snort/Suricata signatures from Emerging Threats Open Ruleset can help detect Scanbox activity on your network.</p><pre> <sub>alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks"; flow:from_server,established; file_data; content:"scanbox.crypt._utf8_encode"; classtype:trojan-activity; sid:2019093; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks Intial (POST)"; flow:to_server,established; content:"POST"; http_method; content:"projectid="; http_client_body; fast_pattern:only; content:"agent="; http_client_body; content:"platform="; http_client_body; content:"seed="; http_client_body; content:"screen="; http_client_body; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019094; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks (POST) PluginData"; flow:to_server,established; content:"POST"; http_method; content:"pluginid="; http_client_body; fast_pattern:only; content:"projectid="; http_client_body; content:"seed="; http_client_body; content:"data="; http_client_body; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019095; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks KeepAlive"; flow:to_server,established; content:"GET"; http_method; content:".php?seed="; http_uri; fast_pattern:only; content:"&alivetime="; http_uri; content:"&r="; http_uri; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019096; rev:2;)</sub></pre>
Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox
Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.