ATI Update ATI-2021-03

New Protocols & Applications (4)

Name Category Info
BeyondTrust Jan21 Remote Access BeyondTrust Remote Support (formerly Bomgar) is a Remote Support application which enables to remotely access and troubleshoot desktop and mobile devices, running any platform, located anywhere in the world.
Crawling Wikipedia(English) 3 Layers 4 Link Feb21 Social Networking/Search Wikipedia(English) is the largest online encyclopedia. This application Crawls Wikipedia(English) Website. It crawls 4 links in home page and for each link it goes up to 3 layer and crawls in a Breadth-First Search (BFS) fashion.
Dianping Jan21 Social Networking/Search Dianping is a Chinese restaurant ranking website. It allows users to search restaurants, check menu, read comments, buy coupons and post comments.
Google Classroom Mobile Feb21 Mobile Google Classroom is a free web service developed by Google for schools that aims to simplify creating, distributing, and grading assignments. The primary purpose of Google Classroom is to streamline the process of sharing files between teachers and students. This simulates the Mobile version of the application.

New Superflows (10)

Name Category Info
BeyondTrust Jan21 Remote Access Simulates the use of Beyondtrust application with 2 clients (where Client A is IT Support and Client B is a remote client) as of January 2021. Client A logs into the Beyondtrust application, starts a new session and provides the session ID to Client B. Then Client A requests for screen sharing and the screen sharing starts after Client B allows the access. After that Client A stops screen sharing, ends the current session and logs out.
BeyondTrust Jan21 Session Start Remote Access Simulates the use of Beyondtrust application with 2 clients (where Client A is IT Support and Client B is a remote client) as of January 2021. Client A logs into the Beyondtrust application, starts a new session and provides the session ID to Client B, ends the current session and logs out.
Crawling Wikipedia(English) 3 Layers 4 Link Feb21 Social Networking/Search Simulates the scenario of crawling Wikipedia(English) website as of February 2021. It crawls 4 links in home page and for each link it goes up to 3 layer and crawls in a Breadth-First Search (BFS) fashion.
Dianping Jan21 Comment Restaurant Social Networking/Search Simulates commenting restaurant on Dianping as of January 2021. The user goes to Dianping website, buys coupons and comments the restaurant.
Dianping Jan21 Search Restaurant Social Networking/Search Simulates searching restaurants on Dianping as of January 2021. The user goes to the website, searches restaurants, checks menu, reads comments, checks the location.
Google Classroom Mobile Feb21 Full Session Mobile Simulates the use of Google Classroom Mobile as of Feb 2021, where a teacher signs in to the app, creates a new class, creates an assignment. Students then opens the classroom,views the assignment and makes a submission.
Google Classroom Mobile Feb21 Student Mobile Simulates the use of Google Classroom Mobile as of Feb 2021, where a a student opens the classroom, views the assignment and makes a submission.
Google Classroom Mobile Feb21 Teacher Mobile Simulates the use of Google Classroom Mobile as of Feb 2021, where a teacher signs in to the app, creates a new class and creates an assignment.
SolarWinds NCM Web Console TLS System/Network Admin Simulates the use of SolarWinds NCM Web Console over TLS as of December 2020, where a user signs in to the management console, opens the configuration summary page, searches for network config files, opens the jobs page, creates, searches, runs and stops a job and logs out.
SolarWinds SAM Web Console TLS System/Network Admin Simulates the use of SolarWinds SAM Web Console over TLS as of December 2020, where a user signs in to the management console, adds a specific node manually for monitoring, runs a network discovery task to locate all active nodes in the network, imports devices found and does operations on the dashboard.

New Application Profiles (1)

Name Info
Consumer Internet Traffic 2020 This Application Profile is representative of commonly used web-based applications that focuses on communications, social media, and media consumption in 2020. Minimum BPS version to run this is 9.10.110.81

New Security Tests (1)

Name Info
Sunburst Jan 2021 Campaign This strikelist contains 2 strikes simulating the 'Sunburst Jan 2021 Campaign'

1. The first strike simulates the download of the 'Sunburst' malware.
2. The second strike simulates the traffic that occurs after executing the 'Sunburst' ransomware executable. The victim sends 4 HTTP requests to the attacker, and the attacker replies with the custom protocol message to execute calc.exe.

It contains the following sequence of strikes:
1) /strikes/malware/apt/sunburst_jan_2021_campaign/malware_76640508b1e7759e548771a5359eaed353bf1eec.xml
2) /strikes/botnets/apt/sunburst_jan_2021_campaign/sunburst_jan_2021_campaign_http_command_control.xml

# Strike ID Name Description
1 M21-y5m01 Sunburst Jan 2021 Campaign - Sunburst Malware File Transfer This strike simulates the download of the Sunburst malware via an HTTP GET request.
2 B21-s6d01 Sunburst Jan 2021 Campaign - Sunburst HTTP Command and Control This strike simulates the 'Sunburst Jan 2021 Campaign - Sunburst HTTP Command and Control' traffic that occurs after executing the Sunburst malware.

New Strikes (3)

CVSS ID References Category Info
7.5 E21-14k91 CVE-2020-7961CVSSCVSSv3CWE-502EXPLOITDB-48332URL Exploits This strike exploits an insecure deserialization vulnerability in Liferay Portal. The vulnerability is due to improper sanitization of user supplied input. Exploiting this vulnerability could allow remote, unauthenticated attackers to execute arbitrary code on the target server in the context of the user running the server.
6.8 D21-3dsu1 CVE-2017-11774CVSSCVSSv3CWE-119URL Denial This strike exploits a code execution vulnerability in Microsoft Outlook 2010. The vulnerability is due to improper handling of objects in memory or Microsoft Outlook security feature bypass vulnerability. By setting a crafted HTML page as Home Page in Outlook 2010, allows the attacker to execute code in the context of current user. Note: This strike simulates the opening of a malicious page at address defined in Outlook (Home Page).
4.0 E21-0x6i1 CVE-2019-8394CVSSCVSSv3CWE-434EXPLOITDB-46413 Exploits This strike exploits a file upload vulnerability in Zoho ManageEngine ServiceDesk Plus. Files can be uploaded to the target by sending an HTTP POST request with a parameter 'module' equal to 'CustomLogin'. An attacker can send a malicious HTTP POST request to upload an arbitrary file to '/custom/login' folder. Successful exploitation may lead to creation and execution of arbitrary files by an authenticated user with minimum permissions (for example, guest).

Enhancements

Component Info
Apps Adding "ChinaApp" tag to super flows simulating applications in China Market.