ATI Update ATI-2020-24

New Protocols & Applications (6)

Name Category Info
CN/IP ICS CN/IP is a standard defined in EIA/CEA-852. It is designed to allow routing of component network frames such as LON over UDP and TCP.
DLMS ICS DLMS (Device Language Message Specification), originally Distribution Line Message Specification (IEC 62056-5-3), is an application layer specification designed for data exchange with metering equipment.
Gab Dec20 Social Networking Gab is a social networking platform. It allow users to post and view content.
Gaode Maps Dec20 Search Gaode Maps is a Chinese maps and navigation website. It allows users to search a location and find a route from source to destination.
HBOMax Dec20 Voice/Video/Media HBO Max is a subscription video on demand streaming service. It allow users to search and watch videos.
Tencent Video Nov20 Voice/Video/Media Tencent Video is a Chinese video website. It allows users to view, upload, comment, rate and share videos.

New Superflows (14)

Name Category Info
CN/IP Message Exchange ICS Simulates user given data bytes or random bytes encapsulated in CN/IP Data Packets being sent through the connection.
Device Language Message Specification (DLMS) ICS Simulates the scenario where a COSEM client sends a request to the COSEM server for a particular data by specifying the class and its attribute id. And the COSEM server replies with the value.
DLMS Clock Time Object Fetch ICS Simulates the scenario where the COSEM client sends a request to the COSEM server for the time value of the meter and COSEM server replies with the requested date and time.
DLMS over TLS ICS Simulates the scenario where a COSEM client sends a request to the COSEM server over TLS for a particular data by specifying the class and its attribute id. And the COSEM server replies with the value.
DNS over HTTP2 (IPv6) System/Network Admin The client sends a DNS query with record type AAAA (IPv6) over HTTP2 to the server. The server replies with HTTP response which contains a DNS message with a single resolved IP address. The communication is over HTTP2 and TLS defned as in RFC8484.
Gab Dec 20 Social Networking/Search Simulates the use of the Gab website as of December 2020. The user opens the website, logs in, browses news feed, posts a status and logs out.
Gab Dec 20 Post Status Social Networking/Search Simulates the use of the Gab website as of December 2020. The user opens the website, logs in, posts a status and logs out.
Gab Dec 20 Read News Feed Social Networking/Search Simulates the use of the Gab website as of December 2020. The user opens the website, logs in, browses news feed and logs out.
Gaode Maps Dec20 Social Networking/Search Simulates Gaode Maps as of December 2020. The user opens the website, searches a location and finds a route from source to destination.
HBOMax Dec 20 Voice/Video/Media Simulates the use of the HBOMax website as of December 2020. The user opens the website, logs in, selects viewer profile, searches for movie, selects a movie, plays the movie, pauses the movie, resumes the movie and logs out.
HBOMax Dec 20 Browse Movies Voice/Video/Media Simulates the use of the HBOMax website as of December 2020. The user opens the website, logs in, selects viewer profile, searches for movie and logs out.
LonTalk over CN/IP ICS Simulates LonTalk traffic encapsulated in CN/IP data packets.
Tencent Video Nov20 Voice/Video/Media Simulates Tencent Video as of November 2020. The user opens the website, browses through the video lists, searches videos and plays videos.
Tencent Video Nov20 Authentication Voice/Video/Media Simulates Tencent Video Authentication as of November 2020.

New Security Tests (1)

Name Info
IcedID Dec 2020 Campaign This strikelist contains 7 strikes simulating the 'IcedID Dec 2020 Campaign'.

1. The first strike simulates the download of the Word malware.
2. The second strike simulates the download of the IcedID Loader malware.
3. The third strike simulates the traffic that occurs after executing the 'IcedID Loader' malware executable. The victim sends an HTTP GET request to the attacker, and the attacker replies with an HTTP code 200 with xml data that points to the next file to download.
4. The fourth strike simulates the download of the PNG First payload.
5. The fifth strike simulates the download of the IcedID malware.
6. The sixth strike simulates the download of the PNG Second payload.
7. The seventh strike simulates the traffic that occurs after executing the 'IcedID' malware executable. The victim sends an HTTP GET request to the attacker, and the attacker replies with an HTTP code 101. Next, the victim sends a websocket binary message to the attacker, and the attacker replies with the websocket binary message. This traffic occurs 9 times.

It contains the following sequence of strikes:
1) /strikes/malware/apt/icedid_dec_2020_campaign/malware_6642cb5d474a9ed788fb5a33cc5b72c6f825c1f3.xml
2) /strikes/malware/apt/icedid_dec_2020_campaign/malware_e34c49a332c42a0c3afd0e2ff7d90311ac01aa3f.xml
3) /strikes/botnets/apt/icedid_dec_2020_campaign/icedid_dec_2020_campaign_loader_command_control.xml
4) /strikes/malware/apt/icedid_dec_2020_campaign/malware_452bea5697110ad1bf86a3759ff00b08603d4a78.xml
5) /strikes/malware/apt/icedid_dec_2020_campaign/malware_3b72fecbabd585947cd9cf4b5d9c3795ab798d39.xml
6) /strikes/malware/apt/icedid_dec_2020_campaign/malware_c1faa9cb4aa7779028008375e7932051ee786a52.xml
7) /strikes/botnets/apt/icedid_dec_2020_campaign/icedid_dec_2020_campaign_icedid_command_control.xml

# Strike ID Name Description
1 M20-gg001 IcedID Dec 2020 Campaign - Word Malware File Transfer This strike simulates the download of the 'IcedID Dec 2020 Campaign Campaign - Word Malware' via an HTTP GET request.
2 M20-g3j01 IcedID Dec 2020 Campaign - IcedID Loader Malware File Transfer This strike simulates the download of the 'IcedID Dec 2020 Campaign Campaign - IcedID Loader' via an HTTP GET request.
3 B20-fal01 IcedID Dec 2020 Campaign - IcedID Loader Command and Control This strike simulates the 'IcedID Dec 2020 Campaign - IcedID Loader Command and Control' traffic that occurs after executing the IcedID Loader malware.
4 M20-n9a01 IcedID Dec 2020 Campaign - PNG First Payload Malware File Transfer This strike simulates the download of the 'IcedID Dec 2020 Campaign Campaign - PNG First Payload' via an HTTP GET request.
5 M20-o1201 IcedID Dec 2020 Campaign - IcedID Malware File Transfer This strike simulates the download of the 'IcedID Dec 2020 Campaign Campaign - IcedID Malware' via an HTTP GET request.
6 M20-m8601 IcedID Dec 2020 Campaign - PNG Second Payload Malware File Transfer This strike simulates the download of the 'IcedID Dec 2020 Campaign Campaign - PNG Second Payload' via an HTTP GET request.
7 B20-yi201 IcedID Dec 2020 Campaign - IcedID Loader Command and Control This strike simulates the 'IcedID Dec 2020 Campaign - IcedID Command and Control' traffic that occurs after executing the IcedID malware.

New Strikes (4)

CVSS ID References Category Info
9.0 E20-12vz1 CVE-2020-5791CVSSCVSSv3CWE-78URL Exploits This strike exploits a command injection vulnerability in the 'mibs.php' script for Nagios XI. The flaw is due to the insufficient validation of the file parameter in the 'mibs.php' script. The flaw may be exploited by an authenticated attacker to execute arbitrary code in the context of the Nagios user on the target server. Note: This strike assumes that the attacker is authenticated and the Cookie and NSP fields are known.
7.5 E20-9wgt1 CVE-2020-15901CVSSCVSSv3CWE-78URL Exploits This strike exploits a command injection vulnerability in the 'ajaxhelper.php' script for Nagios XI. The flaw is due to the insufficient validation of the opts parameter in the 'ajaxhelper.php' script. The flaw may be exploited by an authenticated attacker to execute arbitrary code in the context of the Nagios user on the target server. Note: This strike assumes that the attacker is authenticated and the Cookie and NSP fields are known.
7.5 E20-9ulw1 CVE-2020-13492CVSSCVSSv3CWE-20URL Exploits This strike exploits a remote command execution vulnerability found in Apache Unomi. The vulnerability is due to the lack of input validation of Object Graph Navigation Library (OGNL) and MVEL2 for raw user input. The vulnerability can be exploited by an unauthenticated attacker crafting a malicious HTTP POST request. Successful exploitation may result in executing arbitrarily code within the context of the user running the web service.
5.0 D20-9uyn1 CVE-2020-13951CVSSCVSSv3CWE-835 Denial This strike exploits a denial of service vulnerability in Apache OpenMeetings 4.0.0 - 5.0.0. The vulnerability is caused by a lack of rate limiting on NetTest. A remote, unauthenticated attacker can send a large number of requests to the server resulting in network exhaustion and denial of service.

Modified Strikes

ID Info
E18-3hm81 Updated the description to add "Running this in 2-arm mode, will produce stateless traffic for DCERPC."
E20-9s303 Fixed duplicate User-Agent header.

Enhancements

Component Info
Apps Added new details about DNP3 object types in the Config File description for easier use.
StrikeList New Strike List "FireEye Stolen Red Team Tools".
FireEye has released a blog addressing unauthorized access to their Red Team's tools by a highly sophisticated threat actor. These tools were used by FireEye to test the security of their customers. This strikelist contains strikes for a list of CVEs that is used in their tools, as disclosed here.

Defects Resolved

Ticket Info
ATIBPS-17161 Fixed DNS over HTTP2 DNS query with record type AAAA. Fixed the malformed packer issue in "DNS over HTTP2" superflow.