Recently "there is information that the proxylogon ms.exchange vulnerability is used by the Dearcry group to run the ransomware
I got the sample from https://any.run/
I tried to run the ransomware and amcore 4372 did not detect this ransomware
Thanks for your post.
You should be opening a Service Request with Support.
There is a Extra Dat available for lower known IOC.
Please connect with the team and this further.
Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
Thank you for your post. May I request you for the md5 of this sample? Let me quickly look this up internally and confirm if we have coverage via regular AMCore or Extra DAT. If not, I would recommend going for an SR with coverage request and this will be actioned as quick as possible from our end.
Additionally, if you have any information or advisory or blog article on what CVE from the Exchange Vulnerabilities released recently are being used is available with you, kindly please share the same for our investigation.
Thank you or your quick response.
I can confirm that we do detect these samples, however, no VIA AMCore DAT. We use GTI/Artemis to detect these samples
This is to ensure your machines are protected instantly when it is indeed connected to the internet. May I know if you have any support request created with us already on this matter? A DAT based coverage is expected soon, however, a Support Request should help us expedite the same.
From my end, let me raise a request for the coverage and get back to you on he update as well here.
Thank you for your response. That is indeed a valid concern. While almost all such GTI detections eventually make it to our Amcore Update, they do take a few days for them to be tested as signatures before release depending on the threat severity.
For the given list of IOCs in the Service Request, I have verified that all of them are covered vi Amcore V3 DAT update except for the below hash:
I will have the Engineer review this one right away and get back to you with an update on the same.
Thank you for your response!
f2e22df5e284587dc36f8041129af391 and 10e8a2b044cc6e2628b48a5d9506d974 do not have a DAT based detection yet and hence I request you to kindly raise a Service Request with relevant Threat advisory so that this can be addressed ASAP.
aef2ae9b36989bab8818696de5ccd5e7 - detected as PHP/ChinaChopper by latest DAT.
I sincerely hope this helps.