| Name | Category | Info |
|---|---|---|
| CSDN Jan22 | Social Networking/Search | CSDN is a Chinese software developer communication website. It allows users to search for a technical document or a tool, pay for it and download it. |
| Himalaya Mobile Jan 2022 | Voice/Video/Media | Himalaya is a Chinese on-line radio and audio books application. |
| Name | Category | Tags | Info |
|---|---|---|---|
| CSDN Jan22 | Social Networking/Search | Web ChinaApp |
Simulates CSDN website as of January 2022. The user opens the website, searches for topics, views and comments the document, purchases and downloads a tool. |
| CSDN Jan22 Download | Social Networking/Search | Web ChinaApp |
Simulates CSDN website as of January 2022. The user pays for a tool and downloads it. |
| Himalaya Mobile Jan 2022 | Voice/Video/Media | Streaming ChinaApp MobileApp SimulatedTLS |
Himalaya is a Chinese on-line radio and audio books application. This is simulation of Himalaya version 9.0.10 where the user listens to radio and audio books. |
| TRDP | SCADA | ICS ChinaApp |
TRDP (Train Real-Time Data Protocol) is a network protocol for communication in TCN (Train Communication Network). TRDP is defined in IEC 61375-2-3. |
| Name | Info | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Patchwork Jan 2022 Campaign | Patchwork is an Indian threat actor that has been observed since 2015 and usually targets Pakistan via spear phishing attacks. In its most recent campaign from late November to early December 2021, Patchwork has used malicious RTF files to drop a variant of the BADNEWS (Ragnatela) Remote Administration Trojan (RAT). * Compare to Patchwork Jan 2021 Campaign, the attacker is using RTF document instead of Microsoft Office doc file for phishing purpose in the Patchwork Jan 2022 Campaign. The final Patchwork RAT payload is a new variant compare to the previous version. ** https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/ This strikelist contains 3 strikes simulating the 'Patchwork Jan 2022 Campaign'. 1. The first strike simulates the download of an RTF document. If the RTF document is opened, an embedded script would attempt to extract the Patchwork RAT malware. 2. The second strike simulates the download of the Patchwork RAT malware. 3. The third strike simulates the command and control traffic that occurs after executing the Patchwork RAT malware. The victim sends an HTTP message to the attacker containing encrypted computer name and UUID. The attacker sends an HTTP reply message. Compare to the last version of Patchwork campaign, traffic structure is slightly different (different HTTP data parameter), and the C2 domain is different. It contains the following sequence of strikes: 1) /strikes/malware/apt/patchwork_jan_2022_campaign/malware_021ea88ee2c5a3dd16c7dc2dd703c0850cc18f83.xml 2) /strikes/malware/apt/patchwork_jan_2022_campaign/malware_086885921ac2052dd5f72b0d755cdd9929cc8f94.xml 3) /strikes/botnets/apt/patchwork_jan_2022_campaign/patchwork_jan_2022_campaign_command_control.xml
|
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 10.0 | D22-ebf71 | CVE-2022-21907CVSSCVSSv3CWE-119URLURL | Denial | This strike exploits a vulnerability in the HTTP stack of Microsoft Windows in http.sys. The vulnerability is due to a logic flaw in the same. A remote unauthenticated attacker on the same network segment can exploit this vulnerability by sending a crafted HTTP packet. Successful exploitation can result in a crash of the target Windows Operating System. |
| 10.0 | E22-17ze1 | CVE-2021-2394CVSSCVSSv3CWE-79URLURL | Exploits | This strike exploits a vulnerability in the Oracle WebLogic Server. A remote, authenticated attacker can exploit this vulnerability by sending crafted requests to a vulnerable server. Successful exploitation could result in the target server trigerring an LDAP request to a remote server. If the LDAP server responded with a malicious serialized object, it could lead to arbitrary code execution on the target server. |
| 7.5 | E22-clrx1 | CVE-2021-42013CVSSCVSSv3CWE-22URL | Exploits | t This strike exploits a directory traversal vulnerability in Apache httpd. The vulnerability is due to improper normalization of paths in the request URI. This vulnerability is due to incomplete fix of CVE-2021-41773. A remote, unauthenticated attacker could exploit the vulnerability by sending crafted HTTP requests to a target server configured with the exploitable configurations. Successful exploitation could result in execution of arbitrary code under the security context of the server process. *NOTE: When ran in OneArm mode, the strike will attempt to create a file in /tmp using /bin/bash |
| 7.5 | E22-c6c51 | CVE-2021-22005CVSSCVSSv3CWE-434URL | Exploits | An arbitrary file upload vulnerability exists in VMware vCenter Server. The vulnerability is due to insufficient validation of collector IDs and collector instance IDs in requests handled by the AsyncTelemetryController class. A remote attacker could exploit this vulnerability by sending crafted requests to the target server resulting in execution of arbitrary code by the server. |
| 6.5 | E22-ca4n1 | CVE-2021-26919CVSSCVSSv3CWE-15URL | Exploits | This strike exploits a deserialization vulnerability in Apache Druid. The vulnerability is due to missing validation on allowed JDBC connection properties. A remote, unauthenticated attacker could exploit this vulnerability by submitting a crafted JDBC connection URL in a MySQL datasource. Note: This strikes contains just the configuration request to the Apache Druid server. This request is used to enforce the Apache Druid to connect to a MySQL server, request some data and deserialize it. The MySQL connection generated by this request is not part of this strike. |
| 6.5 | E22-clzj1 | CVE-2021-42287CVSSCVSSv3CWE-269URL | Exploits | This strike exploits an Active Directory domain privilege escalation vulnerability. The vulnerability is due to machine account spoofing which allows attackers to impersonate machine account like Domain Controller. A remote, domain authenticated attacker can exploit this vulnerability by sending a crafted request to the target Domain Controller. Successful exploitation results in Active Directory domain privilege escalation. * This strike simulates running the attack against MARVEL.local domain targeting HYDRA-DC by abusing MARVEL\fcastle user. |
| 6.5 | E21-znl01 | CVE-2021-42321CVSSCVSSv3CWE-502URL | Exploits | This strike exploits an insecure deserialization vulnerability has been reported in Microsoft Exchange Server. The vulnerability is due to insufficient validation of EWS requests' UserConfiguration objects. A remote, authenticated attacker can exploit this vulnerability by sending a crafted request to the target system. Successful exploitation results in remote code execution under the security context as SYSTEM. |
| 5.0 | D22-c7xy1 | CVE-2021-24086CVSSCVSSv3CWE-476URL | Denial | A NULL pointer dereference vulnerability exists in the TCP/IP stack of Microsoft Windows in tcpip.sys. The vulnerability is due to insufficient validation of the sum of all the fragmented packets. A remote attacker on the same network segment can exploit this vulnerability by sending crafted IPv6 fragments. Successful exploitation can result in a crash of the Windows Operating System. |
| 4.3 | E22-9uyj1 | CVE-2020-13947CVSSCVSSv3CWE-79URL | Exploits | This strike exploits an cross-site scripting vulnerability in Apache ActiveMQ. The vulnerability is due to insufficient validation of the JMSDestination parameter to message.jsp in the web console. A remote attacker could exploit this vulnerability by enticing a target user to open a malicious crafted link or web page. Successful exploitation could result in code-execution, depending on javascript payload embeeded in the malicious link. *NOTE: In OneArm mode, the credentials used for authorization will be admin/admin |
| 4.3 | E21-cll91 | CVE-2021-41773CVSSCVSSv3CWE-22URL | Exploits | This strike exploits a Path Traversal vulnerability in Apache HTTP server prior to 2.4.50. This vulnerability is due to improper validation of path in the CGI extension. A remote attacker can exploit this vulnerability by sending a crafted request. Successful exploitation could allow an attacker to execute arbitrary commands on the target server. Note: In order to exploit this vulnerability the Apache HTTP server needs to have CGI extension enabled and granted permission for root folder. |
| Component | Info |
|---|---|
| Apps | TLS certificates have been updated to have SAN (Subject Alternate Name) extension field. |