Endpoint Protection

I would like to know when Symantec has definitions to detect TA17-117A Intrusions Affecting Multiple Victims Across Multiple Sectors (https://www.us-cert.gov/ncas/alerts/TA17-117A ) and then the corresponding definition versions, which will detect this threat.

Thanks,

Scott

Hi Scott,

This is not a single threat, but rather a campaign using a number of different malware threats.  The three that are documented in that link are RedLeaves, PlugX and Sogu.

I cannot find anything from Symantec for RedLeaves, possibly it is detected as a different name - hopefully a Symantec employee can chime in with some info on that one.

Sogu has been detected by Symantec since July 2011: https://www.symantec.com/security_response/writeup.jsp?docid=2011-073003-5345-99

PlugX has been detected by Symantec since June 2012: https://www.symantec.com/security_response/writeup.jsp?docid=2012-062914-2531-99

Note that Plugx is detected as Backdoor.Korplug and Bloodhound.Exploit.457

Hope this helps,

Steve

Hi Scott K,

Thanks for the post.  This is an alert regarding the Cloud Hopper campaign that has been in the news recently.  Symantec Security Response has been monitoring the APT group responsible for many years.  I can confirm that more than a dozen different AV and IPS signatures are in place against the tools known to be used, and these defenses are continuously improved in response to new samples that are encountered.

Be sure that the environment is hardened, that all SEP components are in use, and that end users are training to recognize phishing mails.  This article has many good tips: 

Symantec Endpoint Protection – Best Practices
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0
 

Thanks Steve, that helps.