Name | Category | Info |
---|---|---|
Threema | Chat/IM | Threema is an end-to-end encrypted instant messaging application available for iOS and Android. The software is based on the privacy by design principles and the service doesn't require users to provide a phone number or any other personally identifiable information. Threema is developed by the Swiss company Threema GmbH. |
Viber Jul20 | VoIP | Rakuten Viber, or simply Viber, is a cross-platform voice over IP (VoIP) and instant messaging (IM) software application. Users are registered and identified through a cellular telephone number, although the service is accessible on desktop platforms without needing mobile connectivity. In addition to instant messaging it allows users to exchange media such as images and video records. |
Name | Category | Info |
---|---|---|
Facebook Watch Video (Mobile) | Voice/Video/Media | This is a simulation of Facebook Video streams in the mobile client app. The video streams are shared on Facebook Pages and the Facebook Watch platform. They are commonly used for public distribution of media content and appear in user's Home screens with auto-play feature. This simulation consists of 4 video streams delivered from Facebook CDNs using a proprietary implementation of DASH technology over TLS. |
Threema Chat | Chat/IM | This is a simulation of a chat between two users of Threema mobile app. The number of messages in the chat and the chat type are configurable.The chat occurs through a Threema chat server that forwards messages to the intended recipients. Only the communication protocol between a Threema mobile client and a Threema chat server is covered in this simulation. The chat server acknowledges every message received from the Threema mobile client. Conversely, the Threema mobile client acknowledges every message received from the user's correspondent, forwarded by the Threema chat server. |
Threema Message Exchange | Chat/IM | This is a simulation of a message exchange between two users of Threema mobile app. The exchange occurs through a Threema chat server that forwards messages to the intended recipients. Only the communication protocol between a Threema mobile client and a Threema chat server is covered in this simulation. The chat server acknowledges every message received from the Threema mobile client. Conversely, the Threema mobile client acknowledges every message received from the user's correspondent, forwarded by the Threema chat server. |
Viber Jul20 Chat | Chat/IM | Simulates the use of the chat functionality. A user logs into the viber desktop client, sends and receives messages, stickers, photos and then logs out. |
Zoom Meeting Audio-Only | Voice | This is a simulation of Zoom Conference Meeting (version >= 4.6) application with two users: User-1 with a mobile client, and User-2 with a PC client. User-1 has hosted the meeting and User-2 joins the meeting and initiates an audio call for 15 seconds. |
Zoom Meeting Audio/Video | Voice/Video/Media | This is a simulation of Zoom Conference Meeting (version >= 4.6) application with two users: User-1 with a mobile client, and User-2 with a PC client. User-1 has hosted the meeting and User-2 joins the meeting and initiates a video call (with Audio) for 15 seconds. |
Name | Info | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
LokiBot Oct 2017 Malware Campaign | This strikelist contains 3 strikes simulating the 'LokiBot Oct 2017 Malware Campaign'. 1. The first strike sends a phishing email with a malicious Word document attachment. 2. The second strike simulates the download of the LokiBot malware. Once a user has opened the malicious document in the phishing email, LokiBot malware is downloaded via an HTTP GET request. 3. The third strike, the victim issues an HTTP POST request contains host info such as hostname. The attacker replies with 404 file not found. This client-server communication occurs 3 times. It contains the following sequence of strikes: 1) /strikes/phishing/lokibot_order_detail_subject_phishing_email.xml 2) /strikes/malware/apt/lokibot_oct_2017_campaign/lokibot_oct_2017_campaign_hta_filetransfer.xml 3) /strikes/botnets/apt/lokibot_oct_2017_campaign/lokibot_oct_2017_campaign_lokibot_command_control.xml
|
CVSS | ID | References | Category | Info |
---|---|---|---|---|
10.0 | E20-0zgm1 | CVE-2020-1350CVSSCVSSv3URL | Exploits | This strike exploits an integer overflow vulnerability in Microsoft DNS Server. This vulnerability is due to improper validation of Resource Records within a Dynamic Update DNS Query. An attacker could exploit this vulnerability by sending a crafted Dynamic Update DNS query to the target server. NOTE: This form of direct attack requires the target server to have Dynamic Updates enabled for the domain used in the exploit. Successful exploitation could lead to remote code execution in context of Domain Administrator. |
10.0 | E20-14ks1 | CVE-2020-7980CVSSCVSSv3URL | Exploits | A remote command injection vulnerability exists in Intellian Aptus Web due to lack of user authentication when handling HTTP CGI requests. By sending a crafted JSON file with a POST request, a remote unauthenticated attacker may execute arbitrary system commands as the system's superuser. |
10.0 | E20-12z21 | CVE-2020-5902CVSSCVSSv3EXPLOITDB-48642EXPLOITDB-48643 | Exploits | This strike exploits a directory traversal vulnerability in multiple F5 BIG-IP products. The vulnerability is due to improper handling of user-supplied path in HTTP requests. A remote, unauthenticated attacker could exploit this by sending a maliciously crafted request to the server. A successful attack may result in arbitrary file read, write or remote code execution in the security context of ROOT. |
9.0 | E20-11k41 | CVSSCVSSv3EXPLOITDB-48676 | Exploits | A remote code execution vulnerability exists in Wing FTP Server due to lack of user input sanitization for the Lua Console feature. By sending a crafted 'command' POST parameter, an authenticated user could execute arbitrary commands as the superuser. |
9.0 | E20-5k6m1 | CVE-2018-13358CVSSCVSSv3URL | Exploits | This strike exploits a vulnerability in the TerraMaster NAS device. This device allows for the option to pass command line arguments to the system during the creation of a user but does not properly validate the arguments passed via the checkName parameter. It is possible to execute system commands as a root user on a vulnerable device. |
9.0 | E20-7rdc1 | CVE-2019-15984CVSSCVSSv3URLZDI-20-111 | Exploits | This strike exploits a SQL injection vulnerability in Cisco Data Center Network Manager. The vulnerability is due to insufficient input validation when processing HTTP requests within the 'getConfigTemplateFileName' method pertaining to the 'ConfigTemplateHandler' Java class. An authenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the target server. Successful exploitation could result in the code execution under the security context of the database process. |
7.2 | E20-0rtu1 | CVE-2019-1458CVSSCVSSv3URLURL | Exploits | This strike exploits a vulnerability in the Windows win32k kernel driver caused by improper initialized objects in memory. A remote attacker could successfully exploit the vulnerability to execute arbitrary code or cause a denial of service by enticing a user to execute a PE binary file. Note: this exploit was used in 'WizardOpium' malware operation to gain higher privileges on the infected machines. |
6.8 | E20-134c1 | CVE-2020-6092CVSSCVSSv3URL | Exploits | A use after free vulnerability exists in PDF parser of Nitro Pro 13.9.1.155 due to incorrect manipulation of objects in memory. An attacker may execute arbitrary code on a victim's system by enticing the victim to open a crafted PDF file. Successful exploitation may lead to remote code execution with the privileges of the user running the application. |
4.3 | E20-5k5t1 | CVE-2018-13329CVSSCVSSv3URL | Exploits | This strike exploits a vulnerability in the TerraMaster NAS device. This device allows for the attacker to inject Javascript in the URL because it does not properly validate pages that do not exist. It is possible for an attacker to perform a Reflected XSS attack by injecting javascript in the requested URL. |
Ticket | Info |
---|---|
ATIBPS-16858 | The single downlink packet has been removed at the end of the uplink IMIX superflows. |
ATIBPS-16675 | Default value for TLS Min Version was changed to TLSv1.2. |
ATIBPS-16813 | Strike G09-5qp01 has been marked as deprecated. |
ATIBPS-16867 | Fixed duplicate Date header from response in Strike E18-0n6r1. |