ATI Update ATI-2021-23

New Protocols & Applications (4)

Name Category Info
Bank Of America Mobile Oct 2021 Financial The Bank of America mobile app facilitates an array of banking services for a large number of users.
Chase Mobile Oct 2021 Financial The Chase Mobile app is an all-inclusive platform that provides a centralized way to manage Chase accounts and perform various banking activities from mobile devices.
Kuaishou Mobile Oct21 Voice/Video/Media Kuaishou is a Chinese short video sharing application. It allows users to browse contents, watch videos and upload short videos. This simulates the mobile version of Kuaishou application.
Zhihu Oct21 Social Networking/Search Zhihu is a Chinese question and answer sharing website. It allows user to post questions and answers in text and video.

New Superflows (6)

Name Category Tags Info
Bank Of America Mobile Oct 2021 Financial SimulatedTLS
MobileApp
The Bank of America mobile app facilitates an array of banking services for a large number of users. This simulated scenario includes: user-login, make a credit card payment, and review rewards.
Chase Mobile Oct 2021 Financial SimulatedTLS
MobileApp
The Chase Mobile app is an all-inclusive platform that provides a centralized way to manage Chase accounts and perform various banking activities from mobile devices. This simulated scenario includes: user login, balance check, make a credit card payment, review rewards and transfer cash via Zelle service.
Kuaishou Mobile Oct21 Voice/Video/Media ChinaApp
MobileApp
Simulates Kuaishou application as of October 2021. The user opens the application, browses the content, watches a short video and uploads a video.
Kuaishou Mobile Oct21 Video Voice/Video/Media ChinaApp
MobileApp
Simulates Kuaishou video as of October 2021. The user watches a short video and uploads one.
Zhihu Oct21 Question Social Networking/Search ChinaApp Simulates Zhihu website as of October 2021. The user opens the website, views the hot questions, replies to a question and posts a question.
Zhihu Oct21 Video Social Networking/Search ChinaApp Simulates Zhihu website as of October 2021. The user watches a video and uploads one.

New Application Profiles (4)

Name Info
ICS/SCADA Traffic 2021 This simulates traffic generated by the top 23 ICS/SCADA protocols in 2021.
Sandvine 2021 Global Mobile Video Downstream It simulates the downstream traffic generated by the mix of global video mobile applications reported in the Sandvine Mobile Internet Phenomena Report May 2021.
Sandvine 2021 Global Mobile Downstream It simulates the downstream traffic generated by the mix of global mobile applications reported in the Sandvine Mobile Internet Phenomena Report May 2021.
Sandvine 2021 Global Mobile Upstream It simulates the upstream traffic generated by the mix of global video mobile applications reported in the Sandvine Mobile Internet Phenomena Report May 2021.

New Security Tests (1)

Name Info
Formbook Oct 2021 Campaign Formbook stealer is an info stealer‍ trojan available as a malware-as-service. It is designed to steal personal information from victims' devices and manipulate their devices using control commands from a C2 server. Formbook uses keyloggers and form grabbers to collect victim input along with data from browsers, Instant Message, email and FTP clients.

* https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I

This strikelist contains 3 strikes simulating the 'Formbook Oct 2021 Campaign'.

1. The first strike simulates the download of an excel file. This is the first infection vector for this campaign in which the file contains a malicious macro-embedded Excel document.
2. The second strike simulates the download of the Formbook malware. This is the following macro-execution of previously downloaded Excel document.
3. The third strike simulates the command and control traffic that occurs after executing the Formbook malware. The victim sends an HTTP message to the attacker containing username and OS version, and the attacker replies with an HTTP code 200 over TCP port 80.


It contains the following sequence of strikes:
1) /strikes/malware/apt/formbook_oct_2021_campaign/malware_7037ff474ab0d0ce368f02bf09d199f97c20b3e4.xml
2) /strikes/malware/apt/formbook_oct_2021_campaign/malware_8cc59571463811f56006426ee81a0d5b220beaec.xml
3) /strikes/botnets/apt/formbook_oct_2021_campaign/formbook_oct_2021_campaign_formbook_command_control.xml

# Strike ID Name Description
1 M21-mtlx1 Formbook Oct 2021 Campaign - Excel Malware File Transfer This strike simulates the download of a malicious Excel document file via an HTTP GET request. The excel file contains a macro that will attempt to download another malware file
2 M21-koxp2 Formbook Oct 2021 Campaign - Formbook Malware File Transfer This strike simulates the download of a Formbook binary file via an HTTP GET request. If executed the binary will attempt to communicate with Command and Control server.
3 B21-mlwx1 Formbook Oct 2021 Campaign - Command and Control This strike simulates the 'Formbook Oct 2021 Campaign - Formbook Command and Control' traffic that occurs after executing the Formbook malware.

New Strikes (3)

CVSS ID References Category Info
9.0 E21-ac5v1 CVE-2020-36243CVSSCVSSv3CWE-78URL Exploits This strike exploits a command injection vulnerability in OpenEMR. This vulnerability is due to insufficient sanitation for the user-supplied data in the backup.php. A remote authenticated attacker can exploit this vulnerability by sending crafted requests to the target server. Successful exploitation could result in arbitrary command execution in the security context as web server. *NOTE: When running this strike in OneArm mode, the requests will not be sent to /openemr/someuri , instead will be sent to /someuri , since the openemr server docker used, is configured that way.
6.4 E21-c8v62 CVE-2021-25282CVSSCVSSv3CWE-22URLURL Exploits This strike exploits a directory traversal vulnerability that exists in the WheelClient for Salt API, a component of SaltStack Salt. The vulnerability is due to improper validation of user-supplied input in the pillar_roots.write method. A remote attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted server. Successful exploitation can result in arbitrary file creation and, in the worst case, remote code execution in the context of the root user.
4.3 E21-c7781 CVE-2021-23124CVSSCVSSv3CWE-79URL Exploits This strike exploits a cross-site scripting vulnerability in Joomla CMS. This vulnerability is due to inadequate input filtering in the title attribute of mod_breadcrumbs. Successful exploitation could result in arbitrary script code being executed in the security context of the browser.

Enhancements

Component Info
Security Previously, certain strikes had multiple identical false positives. This fix aims to reduce the number of duplicated variants and false positives in strikes when running against all variants.