Release notes for update package 1479-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Tuesday June 21, 2022
MD5 CHECKSUM:     d72a921d470bdd8f2619aefad9d2c4dd
SHA1 CHECKSUM:     9daa5c837d8b908c96f91feb7c5937bf6ead7e05
SHA256 CHECKSUM:     3095d672c3a6cf70e789135c37d665db608fdfca192204ff104849d131455f03

UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in Mautic detected.     CVE-2022-25772     Acquia-Mautic-Tracking-Pixel-Stored-Cross-Site-Scripting
High     PingPull remote access trojan command and control traffic detected     No CVE/CAN PingPull-Trojan-C2-Traffic
High     An attempt to exploit a vulnerability in VanDyke VShell detected     CVE-2022-28054     Vandyke-Vshell-Server-Trigger-Command-Injection
High     An attempt to exploit a vulnerability in VanDyke VShell detected     CVE-2022-28054     Vandyke-Vshell-Server-Trigger-Command-Injection
High     PingPull remote access trojan command and control traffic detected     No CVE/CAN PingPull-Trojan-C2-Traffic
High     PingPull remote access trojan command and control traffic detected     No CVE/CAN PingPull-Trojan-C2-Traffic

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Acquia-Mautic-Tracking-Pixel-Stored-Cross-Site-Scripting CVE-2022-25772 HTTP_CS-Acquia-Mautic-Tracking-Pixel-Stored-Cross-Site-Scripting Suspected Compromise
High PingPull-Trojan-C2-Traffic No CVE/CAN HTTP_CS-PingPull-Trojan-C2-HTTP-Traffic Suspected Compromise

FTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Vandyke-Vshell-Server-Trigger-Command-Injection CVE-2022-28054 FTP_CS-Vandyke-Vshell-Server-Trigger-Command-Injection Suspected Compromise

TCP Client Stream Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High PingPull-Trojan-C2-Traffic No CVE/CAN Generic_CS-PingPull-Trojan-C2-TCP-Traffic Suspected Compromise

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Vandyke-Vshell-Server-Trigger-Command-Injection CVE-2022-28054 HTTP_CRL-Vandyke-Vshell-Server-Trigger-Command-Injection Suspected Compromise

ICMP Request Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High PingPull-Trojan-C2-Traffic No CVE/CAN ICMP_PingPull-Trojan-C2-ICMP-Echo-Request-Traffic Suspected Compromise

Updated detected attacks:

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Sophos-Firewall-Authentication-Bypass-CVE-2022-1040 CVE-2022-1040 HTTP_CRL-Sophos-Firewall-Authentication-Bypass-CVE-2022-1040 Suspected Compromise
Description has changed
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

Type Name
Category Mautic
Category VanDyke VShell

Updated objects:

Type Name Changes
IPList Iraq
IPList Saudi Arabia
IPList Iran
IPList Cyprus
IPList Armenia
IPList DR Congo
IPList Seychelles
IPList Jordan
IPList Lebanon
IPList Kuwait
IPList Oman
IPList Qatar
IPList United Arab Emirates
IPList Israel
IPList Turkey
IPList Ethiopia
IPList Eritrea
IPList Egypt
IPList Greece
IPList Burundi
IPList Estonia
IPList Latvia
IPList Azerbaijan
IPList Lithuania
IPList Moldova
IPList Finland
IPList Ukraine
IPList North Macedonia
IPList Hungary
IPList Bulgaria
IPList Poland
IPList Romania
IPList Zimbabwe
IPList Mauritius
IPList Eswatini
IPList Réunion
IPList South Africa
IPList Mayotte
IPList Madagascar
IPList Afghanistan
IPList Pakistan
IPList Bangladesh
IPList Turkmenistan
IPList Sri Lanka
IPList India
IPList Nepal
IPList Kazakhstan
IPList Vietnam
IPList Thailand
IPList Indonesia
IPList Taiwan
IPList Philippines
IPList Malaysia
IPList China
IPList Hong Kong
IPList Macao
IPList Cambodia
IPList South Korea
IPList Japan
IPList Singapore
IPList Russia
IPList Australia
IPList Norfolk Island
IPList New Zealand
IPList Libya
IPList Cameroon
IPList Portugal
IPList Liberia
IPList Nigeria
IPList Burkina Faso
IPList Benin
IPList Sierra Leone
IPList Gibraltar
IPList Tunisia
IPList Spain
IPList Denmark
IPList Iceland
IPList United Kingdom
IPList Switzerland
IPList Sweden
IPList Netherlands
IPList Austria
IPList Belgium
IPList Germany
IPList Luxembourg
IPList Ireland
IPList France
IPList Liechtenstein
IPList Jersey
IPList Guernsey
IPList Slovakia
IPList Czechia
IPList Norway
IPList Italy
IPList Slovenia
IPList Montenegro
IPList Croatia
IPList Angola
IPList Namibia
IPList Barbados
IPList Guyana
IPList French Guiana
IPList Paraguay
IPList Uruguay
IPList Brazil
IPList Falkland Islands
IPList South Georgia and the South Sandwich Islands
IPList Dominican Republic
IPList Martinique
IPList Bahamas
IPList Anguilla
IPList Trinidad and Tobago
IPList St Kitts and Nevis
IPList Dominica
IPList Antigua and Barbuda
IPList Saint Lucia
IPList Turks and Caicos Islands
IPList Aruba
IPList British Virgin Islands
IPList St Vincent and Grenadines
IPList Saint Martin
IPList Guadeloupe
IPList Grenada
IPList Cayman Islands
IPList Belize
IPList El Salvador
IPList Guatemala
IPList Honduras
IPList Costa Rica
IPList Venezuela
IPList Ecuador
IPList Colombia
IPList Panama
IPList Haiti
IPList Argentina
IPList Chile
IPList Bolivia
IPList Peru
IPList Mexico
IPList Northern Mariana Islands
IPList Guam
IPList Puerto Rico
IPList U.S. Virgin Islands
IPList U.S. Outlying Islands
IPList Canada
IPList United States
IPList Serbia
IPList Sint Maarten
IPList Curaçao
IPList Bonaire, Sint Eustatius, and Saba
IPList TOR exit nodes IP Address List
IPList Amazon AMAZON
IPList Amazon EC2
IPList Google Servers
IPList TOR relay nodes IP Address List
IPList Microsoft Azure datacenter for centralus
IPList Microsoft Azure datacenter for eastus2euap
IPList Microsoft Azure datacenter for eastus2
IPList Microsoft Azure datacenter for eastus
IPList Microsoft Azure datacenter for japanwest
IPList Microsoft Azure datacenter for northeurope
IPList Microsoft Azure datacenter for southcentralus
IPList Microsoft Azure datacenter for westeurope
IPList Microsoft Azure datacenter
IPList Incapsula
IPList Microsoft Azure service for AzureVideoAnalyzerForMedia
IPList Okta IP Address List
IPList Botnet IP Address List
IPList Malicious Site IP Address List
IPList Amazon AMAZON ap-southeast-1
IPList Amazon AMAZON eu-west-1
IPList Amazon AMAZON us-east-1
IPList Amazon AMAZON us-west-1
IPList Amazon AMAZON us-west-2
IPList Amazon EC2 us-west-2
IPList Microsoft Azure datacenter for germanywc
IPList Microsoft Azure service for AzureCloud
IPList Microsoft Azure service for AzureFrontDoor_Backend
IPList Microsoft Azure service for AzureFrontDoor_Frontend
IPList Microsoft Azure service for AzureSignalR
IPList Microsoft Azure service for Sql
IPList Microsoft Azure service for SqlManagement
IPList Microsoft Azure service for AzureUpdateDelivery
IPList Microsoft Azure datacenter for usstagee
IPList Microsoft Azure datacenter for polandcentral
IPList Microsoft Azure service for PowerPlatformInfra
Situation HTTP_CSU-Shared-Variables
Situation HTTP_CSH-Shared-Variables
Fingerprint regexp changed
Application TeamViewer
Application detection context content changed

DISCLAIMER AND COPYRIGHT

Copyright © 2022 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.