Share on:

Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we’ve made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we’ll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you’re lucky.

Introduction and Overview

This week was partially wrapping up new detections and also some new marketing content. Over the next few months we might be a tad slower releasing detections. They say you have to sometimes slow down to go faster. We’re building some new internal systems that will allow us to do just that. As we grow and mature, so must our tooling!

New Detections

This update introduces several new detections, including:

SonicWall: Configuration Change

I don’t think you need much explanation with that title. However it does log on SW Event IDs 1382, 1383, and 1432.

  • Status: Disabled
  • Log type requirement: SonicWall Traffic

VSSAdmin Shadow Copy Deletion Command

Shadow copy deletion commands are monitored to identify unauthorized or malicious activity. Threat actors such as Black Basta, Phobos, and others have been observed deleting shadow copies after data exfiltration to inhibit the recovery of encrypted systems and/or data.

  • Status: Enabled
  • Log type requirement: Windows and Blumira Agent for Windows

IDE Content

Of course we’re going to sneak some of our other content into detection updates!

CVE-2024-3094: xz-utils (liblzma) Backdoor

An ongoing wrap-up of one of the most extensive and interesting backdoors in recent history. The xz-utils package, versions 5.6.0 and 5.6.1, has been identified as containing a backdoor in a compromised library dependency liblzma5. The presence of the backdoor potentially allows unauthorized access to affected systems through the manipulation of the sshd authentication process. This issue has been assigned CVE-2024-3094 and given a CVSS severity score of 10.0 Critical.

Announcing the First Annual Blumira Awards

As someone who’s loves diving into the data behind our detections, in partnership with our marketing team we decided to have a little fun with that information this year. We took some of our more interesting detections and themes that we saw over all of 2023 and ranked them into categories for you!

Security news and stories right to your inbox!