ATI Update ATI-2020-25

Note: This is a special ATI release to address the recent SolarWinds Sunburst trojan attack. This will simulate both the infection transfer of the trojan-ized update file and Orion Command-and-Control traffic. For more ATI information on what is being done to address the Sunburst attack please see this blog entry.

New Protocols & Applications (1)

Name Category Info
Bilibili Dec20 Voice/Video/Media Bilibili is a Chinese video website. It allows users to view, upload, comment and share videos.

New Superflows (2)

Name Category Info
Bilibili Dec20 Voice/Video/Media Simulates Bilibili as of December 2020. The user opens the website, browses video lists, watches videos and uploads videos.
Bilibili Dec20 Authentication Voice/Video/Media Simulates Bilibili Authentication as of December 2020.

New Strikes (1)

ID References Category Info
G20-peg51 URLURL Generic This strike simulates the HTTP requests sent by a host infected with Sunburst malware. An infected host may periodically send one or more similar HTTP requests. Requests to these URLs should be considered an Indicator of Compromise (IoC).

Enhancements

Component Info
StrikeList New Strike List "Sunburst Indicators of Compromise".
FireEye has released a list of Indicators of Compromise in order to identify hosts infected with Sunburst malware.
This strikelist contains strikes that simulate traffic originating from a host infected with Sunburst malware. https://github.com/fireeye/sunburst_countermeasures/tree/main/rules/SUNBURST/snort

Defects Resolved

Ticket Info
ATIBPS-16770 Added missing descriptions for all the flow level and action level parameters for the FTP application.
ATIBPS-17143 Fixed the content-boundary field of HTTP protocol.
ATIBPS-17186 Changed the category on CN/IP and DLMS (both protols and superflows) to SCADA.