Ixia ATI Update ATI-2020-08 Release Notes

Ixia ATI Update ATI-2020-08 (385053)

New Protocols & Applications (1)

Name	Category	Info
Microsoft Teams Apr20	Voice/Video/Media	Microsoft Teams is a collaborative application for team communication and file sharing. The service is available via a web browser, desktop or mobile app for IOS and Android.

New Super Flows (3)

Name	Category	Info
Microsoft Teams Apr 20 Chat	Voice/Video/Media	Simulates a Microsoft Teams user log in to the app, chat with a peer, then log out.
Microsoft Teams Apr 20 Screenshare	Voice/Video/Media	Simulates a Microsoft Teams user log in to the app, share his screen with a peer, then log out.
Microsoft Teams Apr 20 Video Call	Voice/Video/Media	Simulates a Microsoft Teams user log in to the app, make a videocall with a peer, then log out.

New Tests (1)

Name

Info

Hancitor Malware
April 2020 Campaign

Canned test simulating Hancitor Malware April 2020 Campaign.

It contains the following sequence of strikes:

#	Strike ID	Name	Description
1	E20-XZ22L	Hancitor Covid Subject Phishing Email	This strike simulates a phishing email that has been seen in the wild during the COVID-19 pandemic. This specific phishing attempt is related to the Hancitor April 2020 malware campaign and tries to trick the user into clicking a malicious link by using COVID-19 insurance as a lure. From the headers we can see the header was originally sent from a Russian TLD which has been associated with other phishing related attacks.
2	M20-Haacd1	Hancitor Malware Infection Apr 2020 'vbs' File transfer	This strike simulates the network transfer of Hancitor Malware Infection Apr 2020 'vbs' module.
3	B20-bje71	Hancitor Malware April 2020 Campaign Command and Control Data Exfiltration	This strikes simulates the Hancitor Malware April 2020 Campaign Command and Control traffic that occurs after installing the 'VBS' module with the following steps 1. Client sends HTTP GET request - Server replies with the IP address of client 2. Host/OS-Version data is exfiltrated via HTTP GET request - Server replies with the encoding algorithm works like Base64Encode(XOR(URL_List)) that are used for the next phase of the attack where requests are made 3. Client sends HTTP POST request - Server replies with unknown binary data
4	B20-k4zy1	Hancitor Malware April 2020 Campaign Command and Control File Transfer	This strike simulates the primary payload being delivered in the Hancitor Malware April 2020 Campaign Command and Control traffic after installing the 'VBS' module. The strike will perform 2 unknown payload downloads by making requests GET /1 and GET /2. The generated traffic appears to be an SSL download of something over a non-standard port (80).

The first strike sends a phishing email mentioning Covid-19, containing a link. As if a user had clicked the link in the email, the following strike performs an HTTP GET request, resulting in the download of a 'VBS' module. Executing the 'VBS' module results in host-information being exfiltrated to the attacker controlled malware server, followed by the victim reception of an encoded URL list from the malicious server that points to the Hancitor payload. Finally the Hancitor payload is downloaded via an HTTP request. When executed it sends out these requests to specific URIs which most likely indicates to the attacker the host has been successfully compromised.

New Strikes (7)

CVSS	ID	References	Category	Info
10.0	E20-5l8a2	CVE-2018-14714 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) CVSSV3-9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H URL	Exploits	A command injection vulnerability exists in ASUSWRT firmware version 3.0.0.4.382.50624 and earlier. The flaw results from lack of user input validation for HTTP parameters on the 'appGet.cgi' path. By sending a crafted 'hook' parameter, a remote attacker may execute arbitrary OS commands as the 'root' user.
10.0	E20-7smt2	CVE-2019-17621 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) CVSSV3-9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H URL	Exploits	A remote command injection vulnerability exists in D-Link DIR-859 routers due to lack of user input validation. By exploiting the flaw, a remote unauthenticated attacker may execute arbitrary system commands by sending a crafted UPnP 'SUBSCRIBE' request.
10.0	E20-5k623	CVE-2018-13338 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) CVSSV3-9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H URL	Exploits	This strike exploits a vulnerability in the TerraMaster NAS device. This device allows for the option to pass command line arguments to the system during the creation of a user but does not properly validate the arguments passed. It is possible to execute system commands as a root user on a vulnerable device.
10.0	E20-5k601	CVE-2018-13336 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) CVSSV3-9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H URL	Exploits	This strike exploits a vulnerability in the TerraMaster NAS device. This device allows for the option to pass command line arguments to the system during the creation of a user but does not properly validate the arguments passed via the password parameter. It is possible to execute system commands as a root user on a vulnerable device.
9.3	E20-0yzm1	CVE-2020-0738 CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C) CVSSV3-8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H URL	Exploits	A memory corruption vulnerability has been reported in Windows Media Foundation component of Microsoft Windows. The vulnerability is due to improper handling of objects in memory. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted ASF media file. Successful exploitation could result in the execution of arbitrary code within the context of the user running the application.
9.3	E20-0rt21	CVE-2019-1430 CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C) CVSSV3-7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H URL	Exploits	A memory corruption vulnerability has been reported in Windows Media Foundation component of Microsoft Windows. The vulnerability is due to improper handling of objects in memory. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted QuickTime media file. Successful exploitation could result in the execution of arbitrary code within the context of the user running the application.
5.0	E20-XZ22L	CVSS-5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N) CVSSV3-4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N URL	Phishing	This strike simulates a phishing email that has been seen in the wild during the COVID-19 pandemic. This specific phishing attempt is related to the Hancitor April 2020 malware campaign and tries to trick the user into clicking a malicious link by using COVID-19 insurance as a lure. From the headers we can see the header was originally sent from a Russian TLD which has been associated with other phishing related attacks.