Ixia ATI Update ATI-2020-06 (383153)

New Protocols & Applications (1)

Name Category Info
Pastebin Data Transfer/File Sharing Pastebin is a website where a user can store any text online for easy sharing. The website is mainly used by programmers to store pieces of sources code or configuration information, but anyone can paste any type of text. The idea behind the site is to make it more convenient for people to share large amounts of text online.

New Super Flows (1)

Name Category Info
Pastebin Create Paste Data Transfer/File Sharing This Super Flow simulates the creation of a new paste on Pastebin website.

New Tests (3)

Name Info
Andariel-2017
Campaign Scenario - 1		 Canned test simulating Andariel-2017 Attack Scenario, as described in https://global.ahnlab.com/global/upload/download/techreport/%5BAhnLab%5DAndariel_a_Subgroup_of_Lazarus%20(3).pdf.

It sends 2 strikes in the following sequence:

# Strike ID Name Description
1 M20-An3401 Andariel-2017 'Rifdoor' File transfer This strike simulates the network transfer of Andariel-2017 'Rifdoor' module.
2 B20-An47a1 Andariel-2017 'Rifdoor' Command-and-Control This strikes simulates Andariel 2017 Command and Control traffic after installing 'Rifdoor' module.
This simulates the installation of the 'Rifdoor' malware and a subsequent attempt to communicate successful infection to the Command-and-Control server.
Andariel-2019
Infection Procedure - 1		 Canned test simulating Andariel-2019 Infection Procedure - 1.

It sends 5 strikes in the following order:

# Strike ID Name Description
1 E17-3cn31 Oracle WebLogic Server WorkContextXmlInputAdapter Insecure Deserialization - RCE An insecure deserialization vulnerability was found in Oracle WebLogic Server due to insufficient validation of serialized XML data. Vulnerability can be exploited by sending a specially crafted serialized object. Successful exploitation can result in arbitrary code execution in the context of the user running WebLogic.
2 M20-An1371 Andariel-2019 'ApolloZeus Loader' File transfer This strike simulates the network transfer of Andariel-2019 'ApolloZeus Loader' module.
3 B20-An5d31 Andariel-2019 'ApolloZeus Loader' Command and control This strike simulates Andariel-2019 Command and Control traffic after installing 'ApolloZeus Loader' module. This Strike sends data over TCP port 443, although many packet capture tools like Wireshark will call this 'encrypted data', this is not actually 'SSL Encrypted Data'. These are encrypted/encoded 'command and control' exchanges, but they are not SSL.
4 M20-An16c1 Andariel-2019 'Signed Proto Downloader' File transfer This strike simulates the network transfer of Andariel-2019 'Signed Proto Downloader' module.
5 B20-An0c41 Andariel-2019 'proto' Command and control This strike simulates Andariel-2019 Command and Control traffic after installing 'proto' module by sending Base64 encoded host MAC address.
These strikes simulate the following actions - Attack against vulnerable WebLogic Server - Download and installation of 'ApolloZeus Loader' module - Download and installation of 'Signed Proto Downloader' module.
Andariel-2019
Infection Procedure - 2		 Canned test simulating Andariel-2019 Infection Procedure - 2.

It sends 5 strikes in the following order:

# Strike ID Name Description
1 E17-3cn31 Oracle WebLogic Server WorkContextXmlInputAdapter Insecure Deserialization - RCE An insecure deserialization vulnerability was found in Oracle WebLogic Server due to insufficient validation of serialized XML data. Vulnerability can be exploited by sending a specially crafted serialized object. Successful exploitation can result in arbitrary code execution in the context of the user running WebLogic.
2 M20-An1371 Andariel-2019 'ApolloZeus Loader' File transfer This strike simulates the network transfer of Andariel-2019 'ApolloZeus Loader' module.
3 B20-An5d31 Andariel-2019 'ApolloZeus Loader' Command and control This strike simulates Andariel-2019 Command and Control traffic after installing 'ApolloZeus Loader' module. This Strike sends data over TCP port 443, although many packet capture tools like Wireshark will call this 'encrypted data', this is not actually 'SSL Encrypted Data'. These are encrypted/encoded 'command and control' exchanges, but they are not SSL.
4 M20-An7441 Andariel-2019 'Signed Rifdoor' File transfer This strike simulates the network transfer of Andariel-2019 'Signed Rifdoor' module.
5 B20-An0981 Andariel-2019 'Signed Rifdoor' Command and control This strike simulates Andariel-2019 Command and Control traffic after installing the 'Signed Rifdoor' module. This Strike sends data over TCP port 443, although many packet capture tools like Wireshark will call this 'encrypted data', this is not actually 'SSL Encrypted Data'. These are encrypted/encoded 'command and control' exchanges, but they are not SSL.
These strikes simulate the following actions - Attack against vulnerable WebLogic Server - Download and installation of 'ApolloZeus Loader' module - Download and installation of 'Signed Rifdoor' module.

New Strikes (14)

Note: Please note that the 4 new malware shown below from the Andariel campaigns are not part of the New Strikes list when installing this ATI strikepack.

CVSS ID References Category Info
9.0 E20-100s1 CVSS-9.0 (AV:N/AC:L/AU:N/C:P/I:P/A:C)
CVSSV3-9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EXPLOITDB-46684
URL
 Exploits An OS command injection vulnerability exists in Dell KACE K1000 versions before 6.4.120822, due to lack of sanitization of user-supplied data. By sending a crafted 'kuid' parameter in a HTTP request to '/service/krashrpt.php', a remote unauthenticated attacker may execute arbitrary OS commands as the user 'www'.
9.0 E20-10pg1 CVE-2019-0193
CVSS-9.0 (AV:N/AC:L/AU:S/C:C/I:C/A:C)
CVSSV3-7.2 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
URL
 Exploits This strike exploits a script injection vulnerability in Apache Solr via "dataConfig" parameter in the DataImportHandler module. DataImportHandler (DIH) module allows the user to pull in data from databases and other sources. The "dataConfig" parameter allows to specify the entire DIH config as a request parameter. Since a DIH config can contain scripts, this allows the attacker to construct a threatening request on the server. Successful exploitation will result in code execution, in the context of the user running the Apache Solr service.
7.5 E20-14zq1 CVE-2020-8518
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
CVSSV3-9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EXPLOITDB-48215
 Exploits A PHP code injection vulnerability exists in Horde Groupware Webmail Edition 5.2.22 due to lack of user-supplied data sanitization. Remote authenticated attackers may send a crafted 'quote' parameter in a HTTP request to 'mnemo/data.php' to achieve PHP code execution.
7.5 E20-10e31 CVE-2020-2555
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
CVSSV3-9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
URL
ZDI-20-128
 Exploits This strike exploits an insecure deserialization vulnerability in Oracle Coherence library, which is used in popular products such as Oracle WebLogic Server. Coherence Library is a key component for Oracle to implement highly reliable and scalable cluster computing. The vulnerability is a result of insufficient validation of T3 requests. The server allows deserialization of classes in objects embedded with T3 protocol messages. Successful exploitation leads to remote code execution, in the context of the user running the Oracle WebLogic Service.
6.8 E20-mx8m1 CVSS-6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P)
CVSSV3-8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
URL
 Exploits This strike exploits a virtualenv variable path loading vulnerability inside Microsoft Visual Code Studio. Specifically, the vulnerability is due to how VSCode selects and loads the virtualenv from a project folder. This project folder can be loaded without user interaction only requiring for the user to click on the python .py file to execute the code. By adding a malicious folder to the workspace and opening a python file inside the project the added code to execute inside the extension will run. The project zip package included in this strike will prompt the user to install an extension to run. Once installed clicking the python file will execute the calculator app on macOS.
4.3 E20-13de1 CVE-2020-6418
CVSS-4.3 (AV:N/AC:M/AU:N/C:N/I:N/A:P)
CVSSV3-6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
URL
 Exploits A type confusion vulnerability exists in V8 JavaScript engine in Google Chrome prior to 80.0.3987.122. The vulnerability may be triggered by changing array elements types (e.g. from SmallInteger to Double) after optimization takes place. By successfully exploiting this flaw, an attacker can execute arbitrary code in the context or the Chrome's 'renderer' process.
B20-An47a1 Botnets This strikes simulates Andariel 2017 Command and Control traffic after installing 'Rifdoor' module.
B20-An5d31 Botnets This strikes simulates Andariel-2019 Command and Control traffic after installing 'ApolloZeus Loader' module.
B20-An0981 Botnets This strikes simulates Andariel-2019 Command and Control traffic after installing 'Signed Rifdoor' module.
B20-An0c41 Botnets This strikes simulates Andariel-2019 Command and Control traffic after installing 'proto' module.
M20-An1371 Malware This strike simulates the network transfer of Andariel-2019 'ApolloZeus Loader' module.
M20-An16c1 Malware This strike simulates the network transfer of Andariel-2019 'Signed Proto Downloader' module.
M20-An7441 Malware This strike simulates the network transfer of Andariel-2019 'Signed Rifdoor' module.
M20-An3401 Malware This strike simulates the network transfer of Andariel-2017 'Rifdoor' module.

Defects Resolved

Ticket Info
ATIBPS-16560 Fix HTTP parameter name for strike for CVE-2019-16759.