ATI Update ATI-2021-22

New Protocols & Applications (5)

Name Category Info
Gettr Oct21 Social Networking/Search Gettr is a social media platform targeted to north America.
Ikea Oct 2021 Enterprise Applications Ikea is a multinational conglomerate that designs and sells ready-to-assemble furniture, kitchen appliances and home accessories, among other goods and home services.
Railway 12306 Mobile Oct 2021 Enterprise Applications Railway 12306 is the Chinese official train tickets purchasing application.
Robinhood Mobile Oct 2021 Financial Robinhood is a popular trading application.
Tridium Niagara Fox SCADA Tridium Niagara Fox is a proprietary protocol used for all network communication between stations as well as between workbench and stations in Niagara Framework.

New Superflows (7)

Name Category Tags Info
Gettr Oct 21 Social Networking/Search Social Networking Simulates the use of the Gettr website as of October 2021. All of the available actions for this flow are exercised.
Gettr Oct 21 Browse Social Networking/Search Social Networking Simulates the scenario when the user Opens Gettr website, Logs in, Browse through posts and Logs out.
Ikea Oct 2021 Enterprise Applications Financial
SimulatedTLS
Ikea is a multinational conglomerate that designs and sells ready-to-assemble furniture, kitchen appliances and home accessories, among other goods and home services.
Railway 12306 Mobile Oct 2021 Enterprise Applications ChinaApp
Financial
MobileApp
SimulatedTLS
Railway 12306 is the Chinese official train tickets purchasing application. This is simulation of Railway 12306 version 5.4.0.12 where the user checks train timetable and buys a ticket.
Robinhood Mobile Oct 2021 Financial Financial
MobileApp
SimulatedTLS
Robinhood is a popular trading application. This is simulation of Robinhood where the user logs in the application, checks news and performs two trades.
Tridium Niagara Fox SCADA ChinaApp
ICS
Simulates a scenario where Tridium Niagara client starts connection with a server. The server responds to the connection with system parameters, sends challenge message and rejects the connection.
Tridium Niagara Fox Bandwidth SCADA ChinaApp
ICS
Simulates a scenario where Tridium Niagara client starts connection with a server. The server responds to the connection with system parameters.

New Application Profiles (2)

Name Info
Sandvine 2021 Global Mobile Social Media Downstream It simulates the downstream traffic generated by the mix of global social media mobile applications reported in the Sandvine Mobile Internet Phenomena Report May 2021.
Sandvine 2021 Global Mobile Social Media Upstream It simulates the upstream traffic generated by the mix of global social media mobile applications reported in the Sandvine Mobile Internet Phenomena Report May 2021.

New Security Tests (1)

Name Info
SquirrelWaffle Oct 2021 Campaign SquirrelWaffle is a piece of malicious software designed to cause chain infections, i.e. cause chain infections, download, and install additional malware. At the time of research, SquirrelWaffle was used to infect systems with Cobalt Strike malicious program. The latter is infamous for being used to inject devices with ransomware.

* https://www.pcrisk.com/removal-guides/21881-squirrelwaffle-malware

This strikelist contains 5 strikes simulating the 'SquirrelWaffle Oct 2021 Campaign'.

1. The first strike simulates the download of a zip file. This is the first infection vector for this campaign in which the zip file contains a malicious macro-embedded Word document. After macro execution, it downloads the next stage SquirrelWaffle malware.
2. The second strike simulates the download of the SquirrelWaffle malware.
3. The third strike simulates the command and control traffic that occurs after executing the SquirrelWaffle malware. The victim sends an HTTP message to the attacker, and the attacker replies with an HTTP code 200 with customized HTTP body data over port 80.
4. The fourth strike simulates the download of the Cobalt Strike binary.
5. The fifth strike simulates the traffic that occurs after the Cobalt Strike binary executes. The victim and the attacker exchange encrypted payloads over HTTPS port 8080.


It contains the following sequence of strikes:
1) /strikes/malware/apt/squirrelwaffle_oct_2021_campaign/malware_50db7914bc6c4e4d0b8e8e69a604221fe2d74716.xml
2) /strikes/malware/apt/squirrelwaffle_oct_2021_campaign/malware_55d3d2226a8af0b6cfcfbe8d590cd880954ca419.xml
3) /strikes/botnets/apt/squirrelwaffle_oct_2021_campaign/squirrelwaffle_oct_2021_campaign_squirrelwaffle_command_control.xml
4) /strikes/malware/apt/squirrelwaffle_oct_2021_campaign/malware_65b43bfe8a5f2481d70b76ebd543b9f5b4baa0f6.xml
5) /strikes/botnets/apt/squirrelwaffle_oct_2021_campaign/squirrelwaffle_oct_2021_campaign_cobalt_strike_command_control.xml

# Strike ID Name Description
1 M21-lwjb2 SquirrelWaffle Oct 2021 Campaign - Zip Malware File Transfer This strike simulates the download of the zip file via an HTTP GET request. The zip file contains a Word Loader document.
2 M21-kghw6 SquirrelWaffle Oct 2021 Campaign - Squirrelwaffle Loader Malware File Transfer This strike simulates the download of the Squirrelwaffle Loader via an HTTP GET request. The file is a dll file executed by rundll32.exe
3 B21-ifkw2 SquirrelWaffle Oct 2021 Campaign - SquirrelWaffle Command and Control This strike simulates the 'SquirrelWaffle Oct 2021 Campaign - SquirrelWaffle Command and Control' traffic that occurs after executing the SquirrelWaffle malware.
4 M21-ugml2 SquirrelWaffle Oct 2021 Campaign - Cobalt Strike Malware File Transfer This file is a malicious Cobalt Strike binary which sends command control traffic after execution.
5 B21-igkw4 SquirrelWaffle Oct 2021 Campaign - Cobalt Strike Command and Control This strike simulates the 'SquirrelWaffle Oct 2021 Campaign - Cobalt Strike Command and Control' traffic that occurs after executing the Cobalt Strike malware.

New Strikes (5)

CVSS ID References Category Info
10.0 E21-c8uy1 CVE-2021-25274CVSSCVSSv3CWE-502URL Exploits This strike exploits an insecure deserialization vulnerability has been reported in SolarWinds Orion, the core platform for multiple SolarWinds products. The vulnerability is due to insufficient validation of messages sent to the MSMQ message queue. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to the target system. Successful exploitation results in remote code execution under the security context as SYSTEM.
9.0 E21-17rh2 CVE-2020-27871CVSSCVSSv3CWE-22URL Exploits This strike exploits an arbitrary file write vulnerability that has been reported in SolarWinds Network Configuration Manager. The vulnerability is due to insufficient validation of file types for vulnerability announcement data files in VulnerabilitySettings.aspx, combined with a lack of restriction on destination paths. A remote, authenticated attacker can exploit this vulnerability by submitting a crafted request to the target server. Successful exploitation results in the writing of an arbitrary file to a location chosen by the attacker, potentially leading to execution of arbitrary code as SYSTEM.
7.5 E21-ci6e1 CVE-2021-37350CVSSCVSSv3CWE-89URL Exploits This strike exploits a SQL Injection vulnerability in Nagios XI versions prior to 5.8.5. This vulnerability is due to improper validation of the field_value parameter in the bulkmodifications component. A remote authenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation could allow an attacker to execute SQL commands on the target server.
7.5 E21-ci6a1 CVE-2021-37346CVSSCVSSv3CWE-78URL Exploits This strike exploits an Command Injection vulnerability in Nagios XI versions prior to 5.8.5. This vulnerability is due to improper validation of the ip_address parameter in the watchguard wizard component. A remote authenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation could allow an attacker to execute arbitrary commands on the target server.
6.5 E21-ci671 CVE-2021-37343CVSSCVSSv3CWE-22URL Exploits This strike exploits a path traversal vulnerability in Nagios XI versions prior to 5.8.5 . This vulnerability is due to improper validation of the job parameter in autodiscovery feature. A remote authenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation could result in arbitrary file creation and further more can result in arbitrary code being executed in the context of the web server. Note: This strike contains just the authentication and the request required to create a backdoor in the web server.

Enhancements

Component Info
Security Added variation for RTF file for Strike E21-ckkc1.