| Name | Category | Info |
|---|---|---|
| lis2a2 | Data Transfer/File Sharing | It simulates transfer of information between clinical laboratory instruments and information systems, published by Clinical and Laboratory Standards institute. |
| Microsoft Teams Nov20 | Chat/IM | Microsoft Teams is a collaborative application for team communication and file sharing. The service is available via a web browser, desktop or mobile app for IOS and Android. |
| RSYNC V31 | Remote | Rsync is a fast and extraordinarily versatile file copying tool. It can copy locally, to/from another host over any remote shell, or to/from a remote rsync daemon. It is famous for its delta-transfer algorithm, which reduces the amount of data sent over the network by sending only the differences between the source files and the existing files in the destination. |
| t38 | Data | T.38 is an ITU recommendation for allowing transmission of fax over IP networks (FoIP) in real time. |
| Name | Category | Info |
|---|---|---|
| Lis2-A2 | Data Transfer/File Sharing | Simulates the scenario where TCP connection is established between sender and receiver. The sender sends header and patient record messages. The receiver sends acknowledgement for all the messages it gets. |
| LIS2-A2 Over TLS | Data Transfer/File Sharing | Simulates the scenario where TCP connection is established between sender and receiver. The sender sends header and patient record messages over TLS. The receiver sends acknowledgement for all the messages it gets. |
| Microsoft Teams Nov 20 Chat | Chat/IM | Simulates a Microsoft Teams user log in to the app, chat with a peer, then log out. |
| Microsoft Teams Nov 20 Screenshare | Chat/IM | Simulates a Microsoft Teams user log in to the app, share his screen with a peer, then log out. |
| Microsoft Teams Nov 20 Video Call | Chat/IM | Simulates a Microsoft Teams user log in to the app, make a videocall with a peer, then log out. |
| RSYNC Download File | Remote Access | Simulates the download of a file from a remote machine to a local machine using Rsync with authentication. |
| RSYNC Modules List | Remote Access | Simulates the Rsync 'rsync-list-modules' command flow. |
| RSYNC Unknown Module Error | Remote Access | Simulates a Rsync command being called on a module that does not exist on the remote machine. |
| RSYNC Upload File | Remote Access | Simulates the upload of a file from a local machine to a remote machine using Rsync with authentication. |
| T.38 Fax Protocol | Data | Simulates the t.38 fax protocol over UDPTL. A call is first established over SIP where various parameters like a port for t.38 protocol are negotiated. Then the connection switches to t.38 protocol where the caller and the receiver exchanges fax data. |
| Name | Info | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| LooCipher Nov 2020 Campaign | This strikelist contains 3 strikes simulating the 'LooCipher Nov 2020 Campaign'. 1. The first strike simulates the download of the malicious word document. 2. The second strike simulates the download of the 'LooCipher' ransomware after the execution of the malicious word document. 3. The third strike simulates the traffic that occurs after executing the 'LooCipher' ransomware executable. The victim sends an HTTP GET request to the attacker, and the attacker replies with the victim's public IP address. Next, the victim sends an HTTP GET request to the attacker containing information such as victim IP address, victim identifier, and obfuscated encryption key. It contains the following sequence of strikes: 1) /strikes/malware/apt/loocipher_nov_2020_campaign/malware_2551e34c72e928f615aeba3b7c2a099b3adcb84e.xml 2) /strikes/malware/apt/loocipher_nov_2020_campaign/malware_7e1dc07f454cc615e36830a29e82694934840af0.xml 3) /strikes/botnets/apt/loocipher_nov_2020_campaign/loocipher_nov_2020_loocipher_command_control.xml
|
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 10.0 | E20-a4xr1 | CVE-2020-26879CVSSCVSSv3CWE-798URL | Exploits | An authentication bypass vulnerability exists in Ruckus IoT Controller 1.5.1.0.21 and prior. The vulnerability exists due to a hardcoded token used when the 'Authorization' HTTP header has a specific value. By sending a crafted HTTP request, a remote attacker may obtain unauthorized access to the device. |
| 10.0 | E20-0o5g2 | CVE-2018-6692CVSSCVSSv3CWE-787URL | Exploits | This strike exploits a buffer overflow vulnerability in the Belkin Wemo Smart Plug. Specifically a stack buffer overflow occurs inside the WemoApp libUPnPHndlr.so library. When an attacker sends a UPnP packet with a specially crafted EnergyPerUnitCostVersion field a crash may occur. It is possible to execute code remotely on the compromised device as the root user, and because the device uses UPnP it is also possible to use the device to attack and control other smart devices like TVs. |
| 10.0 | E20-9voi1 | CVE-2020-14882CVSSCVSSv3CWE-20EXPLOITDB-48971 | Exploits | This strike exploits a remote code execution vulnerability in Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). The vulnerability is due to improper sanitization of user-supplied data sent via HTTP. A remote, unauthenticated attacker could exploit this by sending a maliciously crafted request to the server. A successful attack may result in arbitrary command execution in the context of the server process. |
| 9.0 | E20-a4xq1 | CVE-2020-26878CVSSCVSSv3CWE-862URL | Exploits | An OS command injection vulnerability exists in Ruckus IoT Controller 1.5.1.0.21 and prior due to lack of user input validation. The vulnerability exists in the '/service/v1/createUser' endpoint which is in charge of new users creation. By sending a crafted HTTP POST data, a remote authenticated attacker may execute arbitrary OS commands as the root user. |
| 7.5 | E20-9xpe3 | CVE-2020-17506CVSSCVSSv3CWE-89 | Exploits | This strike exploits an SQL injection vulnerability in Artica Web Proxy. This vulnerability is due to improper validation of the apikey parameter of the fw.login.php page. An attacker can send a crafted HTTP request with SQL commands in the vulnerable parameter allowing remote code execution to occur. |
| 6.4 | E20-9se31 | CVE-2020-10619CVSSCVSSv3CWE-22URLZDI-20-379 | Exploits | An arbitrary file overwrite vulnerability has been identified in Advantech WebAccess NMS. The vulnerability is caused by the lack of proper input sanitisation on file paths within saveBackground servlet. The vulnerability can be exploited by sending a specially-crafted request, allowing the attacker to delete arbitrary files. |
| 5.0 | E20-14qp1 | CVE-2020-8193CVSSCVSSv3CWE-284URL | Exploits | An authorization bypass vulnerability exists in Citrix Application Delivery Controller (ADC) and Gateway. This vulnerability can be triggered by calling the function report() in the PHP pcidss.php script. The flaw may be exploited by an unauthenticated attacker to access certain protected URL endpoints. |
| Component | Info |
|---|---|
| Security | Added the IoT and ics keywords and labeled all required strikes. |
| NewStrikeList | A new strike list for Industrial Control Systems (ICS) systems, containing strikes for HMI, SCADA, M2M etc. |
| NewStrikeList | A new strike list for IoT which includes strikes that affect IoT devices and its ecosystem, containing strikes for cameras, mqtt, point of sale devices, etc. |
| Ticket | Info |
|---|---|
| ATIBPS-17107 | Fixed protocol meta information for phishing strikes that specified TCP instead of SMTP. |
| ATIBPS-17032 | Strike E20-157e was marked as deprecated. |
| ATIBPS-17092 | Fixed the malformed RDP packet bug. Now getting fresh pcap while running the "Remote Desktop Superflow". Also fixed the the success code of ConferenceCreateResponse result to "0". |
| ATIBPS-16981 | Fixed the BUG (RFC7753 Port Control Protocol , Option Header has wrong padding). Now the null byte(s) are padded correctly in the Option Header as per the RFC 6887, section 7.3 (Option Length). |