Rule Update
21-003 (January 19, 2021)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
CA ARCserve D2D Administration Interface
1010699 - Arcserve D2D External Entity Injection Vulnerability (CVE-2020-27858)
DNS Server
1010633* - Identified DNS Trojan.Linux.Anchor.A Traffic
1010632* - Identified DNS Trojan.Win64.Anchor.A Traffic
Directory Server LDAP
1010301* - Samba LDAP Server Denial Of Service Vulnerability (CVE-2020-10704)
Suspicious Client Ransomware Activity
1010597* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (Office 365 Calendar Profile)
1010596* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (YouTube Profile)
1010617* - Identified TLS Cobalt Strike Beacon (Certificate)
Suspicious Server Ransomware Activity
1010638* - Identified FTP Backdoor.Win32.Qbot.JINX Runtime Detection
Trend Micro OfficeScan
1010708* - Trend Micro OfficeScan Multiple Information Disclosure Vulnerabilities (CVE-2020-28582 and CVE-2020-28583)
Web Application Common
1000552* - Generic Cross Site Scripting(XSS) Prevention
1010727 - Mongo-Express Remote Code Execution Vulnerability (CVE-2019-10758)
Web Application Tomcat
1010688* - Apache Tomcat Remote Code Execution Vulnerability (CVE-2017-12617)
Web Client Common
1009779* - Microsoft Windows Multiple Security Vulnerabilities (June-2019)
1010716 - XStream Library Insecure Deserialization Vulnerability (CVE-2020-26217)
Web Server Apache
1010400* - Apache Httpd Mod Rewrite Open Redirects Vulnerability (CVE-2019-10098)
1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)
Web Server Common
1010734 - Identified BumbleBee Webshell Traffic Over HTTP
1010477* - Java Unserialize Remote Code Execution Vulnerability - 1
Web Server HTTPS
1010718 - Joomla CMS 'mod_random_image' Stored Cross-Site Scripting Vulnerability (CVE-2020-15696)
1009968* - Multiple HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9513)
1009998* - Multiple HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9511)
1009944* - Multiple HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9512)
1010712 - WordPress 'Contact Form 7' Plugin Arbitrary File Upload Vulnerability (CVE-2020-35489)
Web Server Miscellaneous
1010662* - Atlassian Jira Information Disclosure Vulnerability (CVE-2020-14181)
1010679 - SolarWinds Network Performance Monitor 'ExportToPDF' Information Disclosure Vulnerability (CVE-2020-27870)
1010678 - SolarWinds Network Performance Monitor 'VulnerabilitySettings' Directory Traversal Vulnerability (CVE-2020-27871)
1010677 - SolarWinds Network Performance Monitor 'WriteToFile' SQL Injection Vulnerability (CVE-2020-27869)
1010717* - SolarWinds Orion Platform Authentication Bypass Vulnerability (CVE-2020-10148)
Web Server Nagios
1010696* - Nagios XI SNMP Trap SQL Injection Vulnerability
Web Server RealVNC
1010726 - LibVNCServer Denial Of Service Vulnerability (CVE-2020-25708)
Web Server SharePoint
1010702* - Microsoft SharePoint Authenticated Remote Code Execution Vulnerability (CVE-2021-1707)
1010707* - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2020-0971)
Webmin
1010704* - Webmin Arbitrary Remote Command Execution Vulnerability (CVE-2020-35606)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Deep Packet Inspection Rules:
CA ARCserve D2D Administration Interface
1010699 - Arcserve D2D External Entity Injection Vulnerability (CVE-2020-27858)
DNS Server
1010633* - Identified DNS Trojan.Linux.Anchor.A Traffic
1010632* - Identified DNS Trojan.Win64.Anchor.A Traffic
Directory Server LDAP
1010301* - Samba LDAP Server Denial Of Service Vulnerability (CVE-2020-10704)
Suspicious Client Ransomware Activity
1010597* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (Office 365 Calendar Profile)
1010596* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (YouTube Profile)
1010617* - Identified TLS Cobalt Strike Beacon (Certificate)
Suspicious Server Ransomware Activity
1010638* - Identified FTP Backdoor.Win32.Qbot.JINX Runtime Detection
Trend Micro OfficeScan
1010708* - Trend Micro OfficeScan Multiple Information Disclosure Vulnerabilities (CVE-2020-28582 and CVE-2020-28583)
Web Application Common
1000552* - Generic Cross Site Scripting(XSS) Prevention
1010727 - Mongo-Express Remote Code Execution Vulnerability (CVE-2019-10758)
Web Application Tomcat
1010688* - Apache Tomcat Remote Code Execution Vulnerability (CVE-2017-12617)
Web Client Common
1009779* - Microsoft Windows Multiple Security Vulnerabilities (June-2019)
1010716 - XStream Library Insecure Deserialization Vulnerability (CVE-2020-26217)
Web Server Apache
1010400* - Apache Httpd Mod Rewrite Open Redirects Vulnerability (CVE-2019-10098)
1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)
Web Server Common
1010734 - Identified BumbleBee Webshell Traffic Over HTTP
1010477* - Java Unserialize Remote Code Execution Vulnerability - 1
Web Server HTTPS
1010718 - Joomla CMS 'mod_random_image' Stored Cross-Site Scripting Vulnerability (CVE-2020-15696)
1009968* - Multiple HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9513)
1009998* - Multiple HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9511)
1009944* - Multiple HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9512)
1010712 - WordPress 'Contact Form 7' Plugin Arbitrary File Upload Vulnerability (CVE-2020-35489)
Web Server Miscellaneous
1010662* - Atlassian Jira Information Disclosure Vulnerability (CVE-2020-14181)
1010679 - SolarWinds Network Performance Monitor 'ExportToPDF' Information Disclosure Vulnerability (CVE-2020-27870)
1010678 - SolarWinds Network Performance Monitor 'VulnerabilitySettings' Directory Traversal Vulnerability (CVE-2020-27871)
1010677 - SolarWinds Network Performance Monitor 'WriteToFile' SQL Injection Vulnerability (CVE-2020-27869)
1010717* - SolarWinds Orion Platform Authentication Bypass Vulnerability (CVE-2020-10148)
Web Server Nagios
1010696* - Nagios XI SNMP Trap SQL Injection Vulnerability
Web Server RealVNC
1010726 - LibVNCServer Denial Of Service Vulnerability (CVE-2020-25708)
Web Server SharePoint
1010702* - Microsoft SharePoint Authenticated Remote Code Execution Vulnerability (CVE-2021-1707)
1010707* - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2020-0971)
Webmin
1010704* - Webmin Arbitrary Remote Command Execution Vulnerability (CVE-2020-35606)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Featured Stories
When AI Becomes a Zero-Day Machine: What Public Sector Organizations Need to KnowClaude Mythos Preview shows how AI can rapidly discover and weaponize zero-day vulnerabilities—transforming once human-scale threats into machine-speed attacks. As these capabilities spread, public sector organizations must rely on trusted, proactive defenders like TrendAI™ ZDI to stay ahead of an AI-driven threat landscape.Read more
Hunt Them All: An AI-Powered Vulnerability Sweep of 19,000 MCP ServersIn this research, we analyzed over 19,000 open-source MCP server repositories to uncover how much AI-generated code they contain and how many harbor exploitable vulnerabilities.Read more
Update on Exposed MCP Servers: The Threat Widens to the CloudExposed Model Context Protocol (MCP) servers have become powerful vectors for cloud attacks, enabling threat actors to not only access sensitive data but also take control of the cloud services themselves.Read more
Old Vulnerabilities, New AI Era, Amplified Risk: How Outdated Flaws Continue to Fuel the N-Day Exploit MarketEven as AI adoption accelerates, old exploits remain overlooked weaknesses. Underground trends show a renewed demand for exploits, with cybercriminals relying on aging but still effective vulnerabilities. We examine this blind spot and why long-standing issues need to be addressed.Read more