ATI Update ATI-2020-14

New Protocols & Applications (2)

Name Category Info
Threema Chat/IM Threema is an end-to-end encrypted instant messaging application available for iOS and Android. The software is based on the privacy by design principles and the service doesn't require users to provide a phone number or any other personally identifiable information. Threema is developed by the Swiss company Threema GmbH.
Viber Jul20 VoIP Rakuten Viber, or simply Viber, is a cross-platform voice over IP (VoIP) and instant messaging (IM) software application. Users are registered and identified through a cellular telephone number, although the service is accessible on desktop platforms without needing mobile connectivity. In addition to instant messaging it allows users to exchange media such as images and video records.

New Super Flows (6)

Name Category Info
Facebook Watch Video (Mobile) Voice/Video/Media This is a simulation of Facebook Video streams in the mobile client app. The video streams are shared on Facebook Pages and the Facebook Watch platform. They are commonly used for public distribution of media content and appear in user's Home screens with auto-play feature. This simulation consists of 4 video streams delivered from Facebook CDNs using a proprietary implementation of DASH technology over TLS.
Threema Chat Chat/IM This is a simulation of a chat between two users of Threema mobile app. The number of messages in the chat and the chat type are configurable.The chat occurs through a Threema chat server that forwards messages to the intended recipients. Only the communication protocol between a Threema mobile client and a Threema chat server is covered in this simulation. The chat server acknowledges every message received from the Threema mobile client. Conversely, the Threema mobile client acknowledges every message received from the user's correspondent, forwarded by the Threema chat server.
Threema Message Exchange Chat/IM This is a simulation of a message exchange between two users of Threema mobile app. The exchange occurs through a Threema chat server that forwards messages to the intended recipients. Only the communication protocol between a Threema mobile client and a Threema chat server is covered in this simulation. The chat server acknowledges every message received from the Threema mobile client. Conversely, the Threema mobile client acknowledges every message received from the user's correspondent, forwarded by the Threema chat server.
Viber Jul20 Chat Chat/IM Simulates the use of the chat functionality. A user logs into the viber desktop client, sends and receives messages, stickers, photos and then logs out.
Zoom Meeting Audio-Only Voice This is a simulation of Zoom Conference Meeting (version >= 4.6) application with two users: User-1 with a mobile client, and User-2 with a PC client. User-1 has hosted the meeting and User-2 joins the meeting and initiates an audio call for 15 seconds.
Zoom Meeting Audio/Video Voice/Video/Media This is a simulation of Zoom Conference Meeting (version >= 4.6) application with two users: User-1 with a mobile client, and User-2 with a PC client. User-1 has hosted the meeting and User-2 joins the meeting and initiates a video call (with Audio) for 15 seconds.

New Security Tests (1)

Name Info
LokiBot Oct 2017 Malware Campaign This strikelist contains 3 strikes simulating the 'LokiBot Oct 2017 Malware Campaign'.
1. The first strike sends a phishing email with a malicious Word document attachment.
2. The second strike simulates the download of the LokiBot malware. Once a user has opened the malicious document in the phishing email, LokiBot malware is downloaded via an HTTP GET request.
3. The third strike, the victim issues an HTTP POST request contains host info such as hostname. The attacker replies with 404 file not found. This client-server communication occurs 3 times.

It contains the following sequence of strikes:
1) /strikes/phishing/lokibot_order_detail_subject_phishing_email.xml
2) /strikes/malware/apt/lokibot_oct_2017_campaign/lokibot_oct_2017_campaign_hta_filetransfer.xml
3) /strikes/botnets/apt/lokibot_oct_2017_campaign/lokibot_oct_2017_campaign_lokibot_command_control.xml

# Strike ID Name Description
1 P20-1hl31 LokiBot Order Detail Subject Phishing Email This strike simulates a phishing email that has been seen in the wild contain malicious file which will download LokiBot malware. This specific phishing attempt is related to the 'LokiBot Oct 2017 Malware Campaign', which attempts to entice a user to open the malicious file-attachment using a Subject of 'News about your order'.
2 B17-o8c01 LokiBot Oct 2017 Malware Campaign - HTA File Transfer This strike simulates download of a malicious .hta file in the 'LokiBot Oct 2017 Malware Campaign' via an HTTP request. The traffic occurs after executing the Word attachment from the phishing email. .hta file is often downloaded by pre-stage malware, such as embedded-macro word-files or distributed via 'LokiBot malware campaign phishing email'.
3 B217-qzr01 LokiBot Oct 2017 Malware Campaign - LokiBot Command and Control This strike simulates the 'LokiBot Oct 2017 Malware Campaign - LokiBot Command and Control' traffic that occurs after executing the LokiBot malware.

New Strikes (9)

CVSS ID References Category Info
10.0 E20-0zgm1 CVE-2020-1350CVSSCVSSv3URL Exploits This strike exploits an integer overflow vulnerability in Microsoft DNS Server. This vulnerability is due to improper validation of Resource Records within a Dynamic Update DNS Query. An attacker could exploit this vulnerability by sending a crafted Dynamic Update DNS query to the target server. NOTE: This form of direct attack requires the target server to have Dynamic Updates enabled for the domain used in the exploit. Successful exploitation could lead to remote code execution in context of Domain Administrator.
10.0 E20-14ks1 CVE-2020-7980CVSSCVSSv3URL Exploits A remote command injection vulnerability exists in Intellian Aptus Web due to lack of user authentication when handling HTTP CGI requests. By sending a crafted JSON file with a POST request, a remote unauthenticated attacker may execute arbitrary system commands as the system's superuser.
10.0 E20-12z21 CVE-2020-5902CVSSCVSSv3EXPLOITDB-48642EXPLOITDB-48643 Exploits This strike exploits a directory traversal vulnerability in multiple F5 BIG-IP products. The vulnerability is due to improper handling of user-supplied path in HTTP requests. A remote, unauthenticated attacker could exploit this by sending a maliciously crafted request to the server. A successful attack may result in arbitrary file read, write or remote code execution in the security context of ROOT.
9.0 E20-11k41 CVSSCVSSv3EXPLOITDB-48676 Exploits A remote code execution vulnerability exists in Wing FTP Server due to lack of user input sanitization for the Lua Console feature. By sending a crafted 'command' POST parameter, an authenticated user could execute arbitrary commands as the superuser.
9.0 E20-5k6m1 CVE-2018-13358CVSSCVSSv3URL Exploits This strike exploits a vulnerability in the TerraMaster NAS device. This device allows for the option to pass command line arguments to the system during the creation of a user but does not properly validate the arguments passed via the checkName parameter. It is possible to execute system commands as a root user on a vulnerable device.
9.0 E20-7rdc1 CVE-2019-15984CVSSCVSSv3URLZDI-20-111 Exploits This strike exploits a SQL injection vulnerability in Cisco Data Center Network Manager. The vulnerability is due to insufficient input validation when processing HTTP requests within the 'getConfigTemplateFileName' method pertaining to the 'ConfigTemplateHandler' Java class. An authenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the target server. Successful exploitation could result in the code execution under the security context of the database process.
7.2 E20-0rtu1 CVE-2019-1458CVSSCVSSv3URLURL Exploits This strike exploits a vulnerability in the Windows win32k kernel driver caused by improper initialized objects in memory. A remote attacker could successfully exploit the vulnerability to execute arbitrary code or cause a denial of service by enticing a user to execute a PE binary file. Note: this exploit was used in 'WizardOpium' malware operation to gain higher privileges on the infected machines.
6.8 E20-134c1 CVE-2020-6092CVSSCVSSv3URL Exploits A use after free vulnerability exists in PDF parser of Nitro Pro 13.9.1.155 due to incorrect manipulation of objects in memory. An attacker may execute arbitrary code on a victim's system by enticing the victim to open a crafted PDF file. Successful exploitation may lead to remote code execution with the privileges of the user running the application.
4.3 E20-5k5t1 CVE-2018-13329CVSSCVSSv3URL Exploits This strike exploits a vulnerability in the TerraMaster NAS device. This device allows for the attacker to inject Javascript in the URL because it does not properly validate pages that do not exist. It is possible for an attacker to perform a Reflected XSS attack by injecting javascript in the requested URL.

Defects Resolved

Ticket Info
ATIBPS-16858 The single downlink packet has been removed at the end of the uplink IMIX superflows.
ATIBPS-16675 Default value for TLS Min Version was changed to TLSv1.2.
ATIBPS-16813 Strike G09-5qp01 has been marked as deprecated.
ATIBPS-16867 Fixed duplicate Date header from response in Strike E18-0n6r1.