| Ticket | Info |
|---|---|
| ATIBPS-16859 | Convert static Flood Attack strike list to Dynamic. |
| Name | Category | Info |
|---|---|---|
| Google Quic Version 46 | Data | This is a simulation of Google proprietary Quic protocol(gQUIC) version 46, used by default in the Chromium web browser. The traffic is encapsulated in UDP packets. The protocol uses Quic Crypto over the common TLS, for enhanced security and performance. |
| Name | Category | Info |
|---|---|---|
| Google Quic access Google Maps Website - 0 RTT | Data Transfer/File Sharing | Simulates a user going back to the Google Maps website after a short time from accessing it using the Google Chrome browser on Windows OS. |
| Google Quic access Google Maps Website - 1 RTT | Data Transfer/File Sharing | Simulates a user accessing the Google Maps website for the first time using the Google Chrome browser on Windows OS. |
| Telegram Chat | Chat/IM | A user logs in to Telegram Desktop Client and sends messages and media to a contact in the address book. |
| Name | Info | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| APT-29 July 2020 SoreFang Campaign | This strikelist contains 3 strikes simulating the 'APT-29 July 2020 SoreFang Campaign'. 1. The first strike sends a command injection exploit to the target: Citrix Application Delivery Controller server. 2. The second strike simulates the download of the SoreFang malware used by APT-29. 3. The third strike, the victim issues an HTTP POST request contains host info such as hostname after the execution of the SoreFang malware used by APT-29. It contains the following sequence of strikes: 1) /strikes/exploits/webapp/exec/cve_2019_19781_citrix_vpn_command_injection_traversal.xml 2) /strikes/malware/apt/apt29_july_2020_sorefang_campaign/malware_152189b62c546d6297a7083778fba62dcec576be.xml 3) /strikes/botnets/apt/apt29_july_2020_sorefang_campaign/apt29_july_2020_sorefang_campaign_command_control.xml
|
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 9.0 | E20-10x31 | CVE-2020-3239CVSSCVSSv3URLZDI-20-539 | Exploits | A directory traversal vulnerability exists in Cisco UCS Directory. The vulnerability is due to insufficient validation of user input within 'ApplianceStorageUtil' class. A remote authenticated attacker can exploit the vulnerability by sending malicious requests to the target server. Successful exploitation could result in the arbitrary file write and remote code execution under the security context of web server. |
| 6.8 | E20-158s1 | CVE-2020-8844CVSSCVSSv3URLZDI-20-200 | Exploits | This strike exploits an integer overflow vulnerability reported in Foxit Reader and PhantomPDF softwares. This vulnerability is due to improper parsing of image files within memory. A remote attacker could exploit this vulnerability by enticing a victim user to visit a malicious web page or open a crafted image file. Successful exploitation could allow the attacker to execute arbitrary code under the security context of the user. |
| 6.8 | E20-13ck1 | CVE-2020-6388CVSSCVSSv3GOOGLE-1999 | Exploits | This strike exploits a vulnerability in Google Chrome. Specifically, an out of bounds memory access occurs when the AudioArray::Allocate function is invoked in a specific manner. When this happens a denial of service condition, or potentially remote code execution, may occur. |
| 6.8 | E20-0zaz1 | CVE-2020-1147CVSSCVSSv3URLURLZDI-20-874 | Exploits | This strike exploits a remote code execution vulnerability that affects Microsoft .NET Framework, SharePoint, and Visual Studio. This vulnerability is due to improper validation of the source markup of XML file input. An attacker could exploit this vulnerability by enticing a user to open a crafted document or sending maliciously crafted XML content to a server that processes the XML data using the vulnerable library. Successful exploitation allows the attacker to run arbitrary code in the security context of the .NET application. |
| 6.5 | E20-14pv1 | CVE-2020-8163CVSSCVSSv3URLURL | Exploits | A remote code execution vulnerability exists in Ruby on Rails versions 5 < 5.0.1 and 4 < 4.2.11.2, due to lack of user input validation. The vulnerability manifests itself whenever the 'locals' value for a 'render' call is set to 'params' value. Remote attackers may exploit applications containing the up-mentioned pattern by sending a crafted HTTP request to obtain arbitrary code execution. |
| 5.0 | E20-9uy61 | CVE-2020-13934CVSSCVSSv3URL | Exploits | A denial of service vulnerability exists in multiple versions of Apache Tomcat HTTP server. The flaw is due to a specific memory area not being released when processing HTTP/2 'MAGIC' requests. A remote attacker may sent a large number of HTTP2 packets to crash the server due to a 'OutOfMemoryException' condition. |
| 4.3 | E20-159r1 | CVE-2020-8879CVSSCVSSv3ZDI-20-302 | Exploits | This strike exploits an out-of-bounds read vulnerability in Foxit Studio Photo versions up to 3.6.6.916. The vulnerability is due to the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure when handling PSD files. An attacker could exploit this vulnerability by creating a specially crafted PSD file and entice a user to open it. Successful exploitation could lead to information disclosure. |
| 2.6 | E20-11fa1 | CVE-2020-3894CVSSCVSSv3GOOGLE-1999 | Exploits | This strike exploits a vulnerability in Apple Webkit. Specifically, an out of bounds memory access occurs when the AudioArray::Allocate function is invoked in a specific manner. When this happens a denial of service condition, or potentially remote code execution, may occur. |
| Ticket | Info | ATIBPS-16802 | Fixed direction to "s2c" for AZORult strikes B20-hzd01 and B20-jg601. |
|---|---|
| ATIBPS-16856 | For strike E18-0ql21, the client now directly sends the malicious request to the server, instead of server sending the malicious POC to be executed. |
| ATIBPS-16889 | Fixed duplicate HTTP headers for several strikes. |
| ATIBPS-16909 | Fixed duplicate Connection header for Strike E20-7rd81. |
| ATIBPS-16931 | Fixed duplicate Connection header for Strike E20-7rdc1. |