ATI Update ATI-2021-05

New Protocols & Applications (4)

Name Category Info
Oblivious DNS over HTTPS Distributed Computing Oblivious DNS over HTTPS is a new protocol designed by Cloudflare, to improve the security of existing DNS over HTTPS by introducing proxy between client and target or resolver.
Tiktok Mobile Feb21 Mobile Tiktok is a video-sharing/social networking service owned by Chinese company ByteDance.The social media platform is used to make a variety of short-form videos, from genres like dance, comedy, and education, that have a duration from three seconds to one minute. This simulates the mobile version of the Tiktok application.
Tonghuashun Feb21 Financial Tonghuashun is a Chinese financial news and stock monitor website. It allows users to view financial news, search for stock and monitor stock.
YouTube Mobile Feb21 Mobile YouTube is an American video-sharing platform that operates as one of Google's subsidiaries. This mobile app allows users to upload, view, share and comment on videos.

New Superflows (10)

Name Category Info
Oblivious DNS Client to Proxy Distributed Computing Simulates the scenario where the client checks for the configurations of the ODoH server and then sends an ODoH query to the proxy, and receives the response.
Oblivious DNS Proxy to Target Distributed Computing Simulates the scenario where the proxy forwards the query recieved from the client to an ODoH server.
Tiktok Mobile Feb21 Browse Videos Mobile Simulates the use of Tiktok Mobile as of February 2021, where a user logs in to the Tiktok mobile app, browses various videos in the feed, likes, comments, shares a random video, adds the Tiktoker to favorites, and signs out.
Tiktok Mobile Feb21 Full Session Mobile Simulates the use of Tiktok Mobile as of February 2021, where a user logs in to the Tiktok mobile app, opens the discover page, searches for a video, uploads a short video of max 60 secs, browses various videos in the feed, likes, comments, shares a random video, adds the Tiktoker to favorites, visits the user's following page and signs out.
Tiktok Mobile Feb21 Upload Video Mobile Simulates the use of Tiktok Mobile as of February 2021, where a user logs in to the Tiktok mobile app, uploads a short video of max 60 secs in the Tiktok application and signs out.
Tonghuashun Feb21 News Financial Simulates Tonghuashun news browse as of February 2021. The user goes to the website, logs on, browses news, comments news and logs out.
Tonghuashun Feb21 Stock Financial Simulates Tonghuashun stock monitor as of February 2021. The user goes to the website, searches for the stock, views the information of the stock and adds the stock into monitor list.
YouTube Mobile Feb21 Browse Sections Mobile Simulates the use of the YouTube Mobile app as of February 2021 where a user gets in the sign in page, signs into the YouTube Mobile app, accesses Subscriptions, accesses History, accesses Playlist, removes a video from that Playlist and signs out.
YouTube Mobile Feb21 Play Video Mobile Simulates the use of the YouTube Mobile app as of February 2021 where a user gets in the sign in page, signs into the YouTube Mobile app, searches a video, plays the video, pauses it, likes it, unlikes it, adds it to a playlist, subscribes to a channel, unsubscribes the channel, comments on the video, shares the video and signs out.
YouTube Mobile Feb21 Upload Video Mobile Simulates the use of the YouTube Mobile app as of February 2021 where a user gets in the sign in page, signs into the YouTube Mobile app, uploads a video, accesses Subscriptions, accesses History, accesses Playlist, removes a video from that Playlist and signs out.

New Security Tests (1)

Name Info
Remcos RAT Feb 2021 Campaign This strikelist contains 3 strikes simulating the 'Remcos RAT Feb 2021 Campaign'.

1. The first strike simulates the download of the 'Downloader' malware. This malware is the initial infection vector for Remcos in which a Microsoft Excel macro executes to download the next stage loader.
2. The second strike simulates the download of the 'Loader' malware. This malware is the second stage infection vector for Remcos in which an executable file will extract and execute the final 'Remcos' payload executable.
3. The third strike simulates the traffic that occurs after executing the 'Remcos' executable. The victim sends TCP raw traffic to the attacker which contains encrypted data stolen from the victim, and the attacker replies with an encrypted response. The strike simulates parts of the command control traffic captured in the wild.

It contains the following sequence of strikes:
1) /strikes/malware/apt/remcos_rat_feb_2021_campaign/malware_fe865b20e82fcbc1542ba88f9da082db0d39f125.xml
2) /strikes/malware/apt/remcos_rat_feb_2021_campaign/malware_5fab5dc05795e35879eeab69f9c8172e4963431c.xml
3) /strikes/botnets/apt/remcos_rat_feb_2021_campaign/remcos_rat_feb_2021_campaign_command_control.xml

# Strike ID Name Description
1 M21-5vt01 Remcos RAT Feb 2021 Campaign - Excel Downloader Malware File Transfer This strike simulates the download of the Excel Downloader malware via an HTTP GET request.
2 M21-5qt01 Remcos RAT Feb 2021 Campaign - Loader Malware File Transfer This strike simulates the download of the Loader malware via an HTTP GET request.
3 B21-2pr01 Remcos RAT Feb 2021 Campaign - Remcos Command and Control This strike simulates the 'Remcos RAT Feb 2021 Campaign - Remcos RAT Command and Control' traffic that occurs after executing the Loader malware. *Note: This Strike is only simulates part of the encrypted Remcos RAT traffic.

New Strikes (9)

CVSS ID References Category Info
10.0 E21-c6b81 CVE-2021-21972CVSSCVSSv3CWE-269EXPLOITDB-49602URL Exploits This strike exploits a file upload vulnerability in vSphere Client component of VMware vCenter. An remote unauthenticated attacker can send a malicious HTTP POST request to upload an arbitrary file via '/ui/vropspluginui/rest/services/uploadova' api. Successful exploitation may lead to creation and execution of arbitrary files with the context of the NT AUTHORITY\SYSTEM for windows and vsphere-ui user for linux.
9.0 E21-0zzq1 CVE-2020-2038CVSSCVSSv3CWE-78URL Exploits This strike exploits a management interface command injection vulnerability in Palo Alto Networks PAN-OS. This vulnerability is due to insufficient filtering of the user input in the execute method of the RestApi Class. A remote authenticated attacker can exploit this vulnerability to execute arbitrary OS commands with root privileges. Note: In one_arm this strike simulates the attack using a fixed API key.
7.5 E21-9vl01 CVE-2020-14756CVSSCVSSv3CWE-502URL Exploits This strike exploits an insecure deserialization vulnerability in Oracle Coherence library, which is used in popular products such as Oracle WebLogic Server. The vulnerability is a result of insufficient validation of T3 requests in the ExternalizableHelper class. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to a vulnerable server. Successful exploitation leads to remote code execution, in the context of the user running the Oracle WebLogic service.
7.5 E21-9wqd2 CVE-2020-16245CVSSCVSSv3CWE-22 Exploits This strike exploits a directory traversal vulnerability in Advantech iView. The vulnerability is due to improper handling of user-supplied path in HTTP requests. A remote, unauthenticated attacker could exploit this by sending a maliciously crafted request to the server. A successful attack may result in arbitrary file read, or arbitrary code execution in the security context of SYSTEM.
7.1 E21-a40j1 CVE-2020-25683CVSSCVSSv3CWE-122URL Exploits This strike simulates a heap out-of-bounds write vulnerability in DNSmasq. The vulnerability is due to no string null byte check when sorting RR records in the sort_rrset() function. Successful exploitation may result in arbitrary code execution with privileges of the DNSmasq process, or abnormal termination of the DNSmasq process, resulting in a denial of service condition.
6.8 E20-1481s CVE-2020-24435CVSSCVSSv3CWE-122URL Exploits A buffer overflow vulnerability exists in Adobe Acrobat Pro DC. Specifically the vulnerability exists within the WebPDF.api. Type confusion occurs when an invalid Unicode string is created as an ANSI string from a source Unicode string. By enticing a victim to open a crafted pdf document an attacker may cause a denial of service or information disclosure on the machine. It may also be possible to execute arbitrary code on a victim's system.
6.8 E20-0yyu1 CVE-2020-16009CVSSCVSSv3CWE-787GOOGLE-2106 Exploits This strike exploits a vulnerability in Google Chrome. Specifically, javascript can be crafted in such a way that when several maps are created and type tagged, if one of the maps is deprecated when transitioning from the first tagged map to the second, type confusion can occur. When this happens a denial of service condition, or potentially remote code execution, may occur.
3.5 E21-a5sk1 CVE-2020-27988CVSSCVSSv3CWE-79 Exploits A stored cross-site scripting vulnerability exists in Nagios XI versions prior to 5.7.5. The vulnerability is due to insufficient sanitization of username in 'users.php'. A remote authenticated attacker can exploit this vulnerability by sending crafted HTTP request to the server. Successful exploitation could result in arbitrary JavaScript execution on the victims's browser.
3.5 E21-15851 CVE-2020-8821CVSSCVSSv3CWE-74 Exploits A stored XSS vulnerability exists in Webmin 1.941 and earlier, affecting the Command-Shell module. The flaw is due to lack of HTML character escaping when rendering log entries and is located in 'shell/log_parser.pl' script. An authenticated remote attacker may send a crafted POST body to obtain arbitrary JavaScript execution on a target user's browser.

Defects Resolved

Ticket Info
ATIBPS-17324 Removed duplicate Server header for strike E21-171v2.
ATIBPS-17299 Fixed ATI suspected RDP protocol violation isssue i.e, "McDn" keyword misplace in userdata field shown in Zeek logs. Now Zeek is able to parse BPS RDP traffic successfully without any error.
ATIBPS-17284 Fixed the issue where the strike E20-0r641 was not sending the correct malicious payload.