ATI Update ATI-2020-20

New Superflows (5)

Name Category Info
DNS Query Response With Conditional Request Distributed Computing This is a simple DNS query and response for an A record with a conditional request. The \x01\x00 is essentially looking for the DNS Query message from the client.
HTTP Single GET with Standard Response Size 512K Testing and Measurement Simulates a scenario where the client sends a single GET request to the server and the server sends a 200 OK response with a standard 512 KB file.
Netflix Client Get 15secs Movie Voice/Video/Media This simulates the Netflix video streaming where the client requests a 15secs movie from the server.
WhatsApp 512KB Chat/IM This simulates the WhatsApp messaging application. The user signs in and sends a message of 512 KB in size.
Youtube MP4 720p Voice/Video/Media This plays a 30-second YouTube MP4 video with 720p resolution at 2508 kbit/s.

New Security Tests (1)

Name Info
RIG EK GandCrab Oct 2020 Campaign This strikelist contains 5 strikes simulating the 'RIG EK GandCrab Oct 2020 Campaign'.

1. The first strike simulates the visit of the RIG exploit kit page, the server replies with an HTTP redirect link to the further exploit page.
2. The second strike simulates the download of the CVE-2016-0189 file used by the RIG exploit kit.
3. The third strike simulates the download of the CVE-2018-4878 file used by the RIG exploit kit.
4. The fourth strike simulates the download of the encrypted GandCrab malware.
5. The fifth strike simulates the traffic that occurs after the execution of the GandCrab malware. The victim issues an HTTP GET request to the C2 server without any information been exfiltrated. This request is not malicious.

It contains the following sequence of strikes:
1) /strikes/botnets/apt/rig_ek_gandcrab_oct_2020_campaign/rig_ek_gandcrab_oct_2020_campaign_gate.xml
2) /strikes/malware/apt/rig_ek_gandcrab_oct_2020_campaign/malware_df0fc71b70cc21caec43f4f7f495bb4a1e610249.xml
3) /strikes/malware/apt/rig_ek_gandcrab_oct_2020_campaign/malware_d11f6dd0338946828c238e62dba3b79d8e0b8692.xml
4) /strikes/malware/apt/rig_ek_gandcrab_oct_2020_campaign/malware_36164eee39cbb47247c5fff3e1788f7e80993943.xml
5) /strikes/botnets/apt/rig_ek_gandcrab_oct_2020_campaign/rig_ek_gandcrab_oct_2020_campaign_command_control.xml

# Strike ID Name Description
1 B20-55i01 RIG EK GandCrab Oct 2020 Campaign - Gate.php page This strike simulates the 'RIG EK GandCrab Oct 2020 Campaign - Gate.php page' traffic that occurs when a user visits the exploit kit's page.
2 M20-qcy02 RIG EK GandCrab Oct 2020 Campaign - CVE-2016-0189 Exploit Malware File Transfer This strike simulates the download of the CVE-2016-0189 html exploit malware via an HTTP GET request.
3 M20-2yu01 RIG EK GandCrab Oct 2020 Campaign - CVE-2018-4878 Exploit Malware File Transfer This strike simulates the download of the CVE-2018-4878 exploit malware via an HTTP GET request.
4 M20-ubq01 RIG EK GandCrab Oct 2020 Campaign - GandCrab Malware File Transfer This strike simulates the download of the encrypted GandCrab malware via an HTTP GET request.
5 B20-ifs01 RIG EK GandCrab Oct 2020 Campaign - Command and Control This strike simulates the 'RIG EK GandCrab Oct 2020 Campaign - Command and Control' traffic that occurs after executing the GandCrab malware. The victim sends an HTTP GET request without any HTTP body data to the attacker.

New Strikes (6)

CVSS ID References Category Info
9.8 E20-13h11 CVE-2020-6549CVSSCVSSv3CWE-416GOOGLE-2063 Exploits This strike exploits a vulnerability in Google Chrome. Specifically, a Use-After-Free condition occurs when the MediaElementEventListener::UpdateSources function is invoked in a specific manner. When this happens a denial of service condition, or potentially remote code execution, may occur.
9.3 E20-0zk02 CVE-2020-1472CVSSCVSSv3CWE-269URL Exploits This strike exploits the vulnerability known as 'Zerologon'. This privilege escalation vulnerability is due to the insecure usage of AES-CFB8 encryption for Netlogon sessions in Microsoft Netlogon Remote Protocol (MS-NRPC). This is the SMB version of the ZeroLogon. A remote (same LAN) unauthenticated attacker can exploit this vulnerability to impersonate the identity of any machine on a network when attempting to authenticate to the Domain Controller which may result in the complete takeover of a Windows domain.
9.0 E20-11ny1 CVE-2020-4206CVSSCVSSv3CWE-20 Exploits This strike exploits a command injection vulnerability in IBM Spectrum Protect Plus. The vulnerability is due to a lack of input sanitization for injection or invalid characters in the timezone parameter. When an attacker sends an HTTP POST request to the "/emi/api/changetimezone" URI, command execution can occur.
7.8 D20-a4p31 CVE-2020-26567CVSSCVSSv3CWE-284 Denial This strike exploits a vulnerability inside D-Link Wireless N Unified Service Routers (DSR-250N) 3.12 that can cause a denial of service attack. The device which allows unauthenticated attackers in the same local network to execute a CGI script which reboots the device. The attack can be triggered without authentication.
5.0 E20-5nyw1 CVE-2018-18264CVSSCVSSv3CWE-306 Exploits This strike exploits an information disclosure vulnerability in Kubernetes Dashboard. The vulnerability allows unauthorized access to the kubernetes-dashboard-certs secret object. When an HTTP GET request is sent to /api/v1/secret/kube-system/kubernetes-dashboard-certs, access to the kubernetes-dashboard-certs object is not restricted and the server responds with the TLS certificate and private key.
4.3 E20-9w031 CVE-2020-15299CVSSCVSSv3CWE-79URL Exploits This strike exploits a reflected cross-site scripting vulnerability in KingComposer plugin through 2.9.4 for WordPress. The vulnerability takes advantage of kc-online-preset-data parameter to send base64 encoded Javascript. A remote, unauthenticated attacker can exploit this vulnerability by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to kc_install_online_preset. As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing the payload in the kc-online-preset-data parameter, that malicious payload would be decoded and executed in the victim's browser.

Modified Strikes

ID Info
E20-0zk01 CVE-2020-1472 or 'ZeroLogon' strike which sets the DC password to all zeros is now a verified strike. Running this strike in one-arm mode against a real DC will set the password to allzeros. Note: The DC name needs to be HYDRA-DC.

Defects Resolved

Ticket Info
ATIBPS-10140 Fixed the issue where the alert messages of HTTPS simulated were not properly encrypted.
ATIBPS-16865 Fixed the SMB protocol from prepending three 0x00 characters before the data when sending a file.
ATIBPS-16868 Fixed the miscalculation of Credential Length when RPC protocol runs through NAT (from 0x2f to 0x30).