Ixia ATI Update ATI-2020-12

New Protocols & Applications (4)

Name Category Info
Mail.ru Jun20 Email/WebMail Mail.ru Group is a Russian Internet Company. It was started in 1998 as an e-mail service agent. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser.
Ok.ru Jun20 Social Networking/Search Odnoklassniki, OK.ru is a social network service for classmates and old friends. It is especially used in Russia and former Soviet Republics. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser.
VKontakte Jun20 Social Networking/Search Simulates the use of the VKontakte (VK) as of June 2020. This protocol can be used to simulate VKontakte (VK) website which is a social media/social networking platform mostly used by russian speakers, where the user performs actions like Login, Viewing feed, Posting message & Logout.
Zoom Meeting Media Voice/Video/Media Zoom is a popular teleconferencing application with rich messaging and multimedia features. This flow is a 2-arm simulation of the multimedia protocols used in Zoom conference meeting. Zoom offers clients for both desktop and mobile users. The clients in this flow conform to versions following 4.6.11 software release. Zoom application uses proprietary RTP technology for audio and video streams over UDP. It uses a proprietary stream control mechanism over TLS. This simulation allows adding an arbitrary number of users with flexible features for various user interaction scenarios in a Zoom meeting.

New Super Flows (15)

Name Category Info
Mail.ru Jun20 Email/WebMail Simulates the use of Mail.ru website with web browser as of June 2020. The user logins to an account, sends a mail, views a mail and logouts.
Mail.ru Jun20 Send Mail Email/WebMail Simulates the use of Mail.ru website with web browser as of June 2020. The user logins to an account, sends a mail and logouts.
Mail.ru Jun20 View Mail Email/WebMail Simulates the use of Mail.ru website with web browser as of June 2020. The user logins to an account, views a mail and logouts.
OK.ru Jun20 Social Networking/Search Simulates the use of OK.ru as of June 2020. The user logs in to OK.ru, views the feed, posts a message and logs out.
OK.ru Jun20 Post Message Social Networking/Search Simulates the use of OK.ru as of June 2020. The user logs in to OK.ru, posts a message and logs out.
OK.ru Jun20 View Feed Social Networking/Search Simulates the use of OK.ru as of June 2020. The user logs in to OK.ru, views the feed and logs out.
VKontakte Jun20 Social Networking/Search Simulates the use of the VKontakte (VK) as of June 2020. This user loads the login page, logins into the website, views feed, posts a message & logs out.
VKontakte Jun20 Post Message Social Networking/Search Simulates the use of the VKontakte (VK) as of June 2020. This user loads the login page, logins into the website, posts a message & logs out.
VKontakte Jun20 View Feed Social Networking/Search Simulates the use of the VKontakte (VK) as of June 2020. This user loads the login page, logins into the website, views feed & logs out.
Zoom Meeting Conference (2 Users) Voice/Video/Media This is a simulation of Zoom Conference Meeting (version >= 4.6) application with two users: User-1 with a mobile client, and User-2 with a PC client. User-1 has hosted the meeting and User-2 joins the meeting and performs: exchanging instant messages with User-1, retrieving the message history, streaming audio / video for 15 seconds.
HTTP Standard Response Size 64K Testing and Measurement Simulates a scenario where the client sends a GET request to the server and the server sends a 200 OK response with a standard 64KB (65536) payload.
HTTP Standard Response Size 1M Testing and Measurement Simulates a scenario where the client sends a GET request to the server and the server sends a 200 OK response with a standard 1MB (1048576) payload.
TLSv1.2 HTTP Standard Response Size 64K Testing and Measurement Simulates HTTP client-server communication where the server sends a 200 OK response with a standard 64KB (65536) payload. TLSv1.2 and cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 are used for traffic encryption.
TLSv1.2 HTTP Standard Response Size 1M Testing and Measurement Simulates HTTP client-server communication where the server sends a 200 OK response with a standard 1MB (1048576) payload. TLSv1.2 and cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 are used for traffic encryption.
Afreeca TV Jan20 Bandwidth Voice/Video/Media Added the bandwidth version of the Afreeca TV Jan20 superflow. The parameters here are set for high bandwidth that could be used in Sandvine profiles.

New Application Profiles (5)

Name Info
BreakingPoint Sandvine 2019 EMEA Upstream It simulates the upstream traffic generated by the top 11 applications reported in the Sandvine Global Internet Phenomena Report September 2019 for EMEA region.
BreakingPoint Sandvine 2019 EMEA Downstream It simulates the downstream traffic generated by the top 11 applications reported in the Sandvine Global Internet Phenomena Report September 2019 for EMEA region.
BreakingPoint Sandvine 2018 APAC Upstream It simulates the upstream traffic generated by the top 8 applications reported in the Sandvine Global Internet Phenomena Report October 2018 for APAC region.
BreakingPoint Sandvine 2018 Americas Upstream It simulates the upstream traffic generated by the top 9 applications reported in the Sandvine Global Internet Phenomena Report September 2018 for America.
BreakingPoint Sandvine 2018 APAC Downstream It simulates the downstream traffic generated by the top 10 applications reported in the Sandvine Global Internet Phenomena Report October 2018 for APAC region.

New Security Tests (1)

Name Info
Dridex May 2020 Malware Campaign This strikelist contains 3 strikes simulating the 'Dridex May 2020 Malware Campaign'.
1. The first strike sends a phishing email with a malicious link.
2. The 2nd strike simulates the download of the Dridex malware. Once a user has opened the link in the phishing email, Dridex malware is downloaded via an HTTP GET request.
3. For the third strike, the victim issues an HTTP GET request, and the attacker replies with both the base64 encoded CNC IP address and a future file to retrieve. The victim then performs an HTTP GET request to download the file stated in the attacker's first base64 encoded reply. Once this request is received the attacker replies with a zipped VBA file. Finally the victim performs 2 CNC POST requests. Both requests are sent with unknown binary data.

It contains the following sequence of strikes:
1) /strikes/phishing/dridex_manager_subject_phishing_email.xml
2) /strikes/malware/apt/dridex_may_2020_malware_campaign/malware_f88f5dfa79a83aae6c3a5e4d417d9e184b4d0c4c.xml
3) /strikes/botnets/apt/dridex_may_2020_malware_campaign/dridex_may_2020_malware_campaign_command_and_control.xml

# Strike ID Name Description
1 E20-XZ24L Dridex Manager Attachment Subject Phishing Email This strike simulates a phishing email that has been seen in the wild pushing Dridex malware. This specific phishing attempt is related to the 'Dridex May 2020 Malware Campaign', and it tries to trick the user into clicking a malicious link by asking a vague question, about something received from a manger, to the victim.
2 M20-j8a02 Dridex May 2020 Malware Campaign - Dridex Malware File Transfer This strike simulates the download of the Dridex malware via an HTTP GET request.
3 B20-dvu01 Dridex May 2020 Malware Campaign - Command and Control This strike simulates the 'Dridex May 2020 Malware Campaign - Command and Control' traffic that occurs after executing the Dridex malware executable. 1. The victim sends an HTTP GET request, and the attacker replies with base64 encoded data and some unknown data. The base64 encoded data includes the CNC IP address and a future file to retrieve. 2. The victim sends an HTTP GET request with only the base64 encoded data, and the attacker replies with a ZIP file that includes a malicious VBS file. 3. The victim sends an HTTP POST request with binary data, and the attacker replies with an HTTP code 502. This sequence occurs 2 times.

New Strikes (6)

CVSS ID References Category Info
9.3 E20-0yvx1 CVE-2020-0605CVSSCVSSv3URL Exploits A code execution vulnerability exists in some versions of Microsoft .NET Framework. The vulnerability is due to insecure deserialization of XPS files by the 'XamlReader::Load()' function within 'PresentationFramework.dll'. A remote attacker could exploit this vulnerability by enticing a target user to download and open a crafted XPS file, which may result in the execution of arbitrary code.
9.0 E20-0zxg1 CVE-2020-1956CVSSCVSSv3URL Exploits A command injection vulnerability exists in in Apache Kylin project versions 2.3.0-2.3.2, 2.4.0-2.4.1, 2.5.0-2.5.2, 2.6.0-2.6.4 and 3.0.0. The vulnerability is due to lack of validation for user-supplied input to 'migrate' REST API endpoint. A remote authenticated attacker may execute arbitrary commands by sending a crafted POST request.
7.6 E20-0yxu1 CVE-2020-0674CVSSCVSSv3URL Exploits This strike exploits a vulnerability in the Microsoft Internet Explorer scripting engine. Specifically, an attacker can craft an HTML page containing a Javascript script which creates an array of objects, and the object is reassigned in a custom sort function which then calls 'CollectGarbage()' resulting in use after free condition due to a dangling pointer. A remote attacker could exploit this vulnerability by enticing the target user to open a specially crafted web page. Successful exploitation could lead to arbitrary code execution in the security context of the target user.
6.8 E20-13cm1 CVE-2020-6390CVSSCVSSv3GOOGLE-2001 Exploits This strike exploits a vulnerability in Google Chrome. Specifically, an attacker can craft JavaScript in such a way that when read_requests are modified from inside the accessor, the loop's iterator becomes invalid, and contuining to iterate through will cause out of bounds memory to be accessed. This can cause a denial of service condition in the browser or potentially lead to remote code execution.
6.8 E20-15ze1 CVE-2020-9802CVSSCVSSv3GOOGLE-2020 Exploits This strike exploits a vulnerability in Apple Webkit. Specifically, an attacker can craft JavaScript in such a way that Checked and Unchecked ArithNegate operations are incorrectly swapped during Common Subexpression Elimination. This will lead to out-of-bounds memory access on an array after being JIT compiled.
5.0 E20-XZ24L CVSSCVSSv3URL Phishing This strike simulates a phishing email that has been seen in the wild pushing Dridex malware. This specific phishing attempt is related to the 'Dridex May 2020 Malware Campaign', and it tries to trick the user into clicking a malicious link by asking a vague question, about something received from a manger, to the victim.

Defects Resolved

Ticket Info
ATIBPS-16791 When running with evasion profile of all variants enabled, the variants generated now respect the various evasion profiles defined in the strike. This may result in seeing encrypted traffic for strikes if the strike states to use TLS by default. Configuring the evasion profiles manually will override this behavior.
ATIBPS-16769 Fixed Maze Ransomware Campaign strikes description.