ATI Update ATI-2022-08

Note: There is an expected UI popup stating "esni_flow_id: Invalid flow id '1'". This will only happen one time after build install. This is expected and has no unintended consequences with the functions of the platform or test traffic.

New Protocols & Applications (3)

Name Category Info
China Merchants Bank Mobile Apr 2022 Financial China Merchants Bank is a popular Chinese banking application.
ELeMe Mobile Apr 2022 Social Networking/Search ELeMe is a Chinese food ordering and delivery service platform.
JT/T 905 SCADA JT/T 905 is a Chinese IoV (Internet of Vehicles) specification of taxi service and management information system.

New Superflows (4)

Name Category Tags Info
China Merchants Bank Mobile Apr 2022 Financial ChinaApp
MobileApp
SimulatedTLS
China Merchants Bank is a popular Chinese banking application. This is the simulation of China Merchants Bank v8.5.12 where the user logs on to the application, checks balance and transfers cash.
ELeMe Mobile Apr 2022 Social Networking/Search E-Commerce
ChinaApp
MobileApp
SimulatedTLS
ELeMe is a Chinese food ordering and delivery service platform. This is the simulation of ELeMe v10.7.5 where the user logs on to the application, checks restaurants, orders food and pays for it.
JT/T 905 SCADA ICS
ChinaApp
Simulates a scenario where location information is transferred from ISU (Intelligent Service Unit) to server, and a telephone call booking service session is started by server, the ISU responds to it.
JT/T 905 Bandwidth SCADA ICS
ChinaApp
Simulates a scenario where around 5MB of location information data is transferred between an ISU and the server.

New Security Tests (1)

Name Info
Corporativo Apr 2022 Malspam Campaign This strike list contains 2 strikes simulating the 'Corporativo Apr 2022 Malspam Campaign'.

1. The first strike simulates the phishing attack. This is the first infection vector for this campaign in which a phishing link is inside the email message.
2. The second strike simulates the download of the 'Corporativo' malware package. This package includes the malware loader Corporativo and the Trojan dll.

It contains the following sequence of strikes:
1) /strikes/phishing/corporativo_apr_2022_malspam_phishing_email.xml
2) /strikes/malware/apt/corporativo_apr_2022_malspam_campaign/malware_56df9c22fad0934ee34ef97d14e5524904503816.xml

# Strike ID Name Description
1 P22-2hy71 Corporativo Apr 2022 Malspam Campaign - Phishing Email This strike simulates a phishing email that has been linked with the Brazilian Corporativo 2022 Malspam Campaign. It tries to trick the user into clicking a link to download what appears to be a financial PDF file but instead downloads malware.
2 M22-C1k61 Corporativo Apr 2022 Malspam Campaign - Malicious Loader and Trojan Installer Package File Transfer This strike simulates the download of an msi installer package via an HTTP GET request. This msi installer once executed will drop a malicious loader executable and the Trojan DLL.

New Strikes (4)

CVSS ID References Category Info
10.0 E22-1e9r1 CVE-2022-0543CVSSCVSSv3URL Exploits This strike exploits a Lua sandbox escape vulnerability in Redis. The vulnerability is due to packaging issue and affects only Debian based systems. A successful attack can result in arbitrary code execution in the context of the Redis server.
6.5 G22-095e1 CVE-2016-7250CVSSCVSSv3CWE-264URL Exploits A privilege escalation vulnerability exists in Microsoft SQL Server. The vulnerability is due to the improper handling of a SQL query containing a Universal Naming Convention (UNC) path. A remote, authenticated attacker can exploit the vulnerability by sending a crafted SQL request to the server. Successful exploitation could allow an attacker to gain the password hashes of the account used to run the server service.
6.0 E22-ec8l1 CVE-2022-22965CVSSCVSSv3CWE-94URLURL Exploits This strike exploits a remote code execution vulnerability in Spring Cloud Foundation. The vulnerability is due to inadequate validation of parameters used for data binding, allowing for manipulation of the ClassLoader. A remote attacker could exploit this vulnerability by providing a crafted parameter in an HTTP request. Successful exploitation could lead to ClassLoader manipulation, which may lead to execution of arbitrary code under the security context of the container of the target application. *NOTE: In one-arm, the strike will attempt to create a webshell at webapps/ROOT/shell.jsp which can be used for Remote Code Execution.
5.0 E22-cn5i1 CVE-2021-43798CVSSCVSSv3CWE-22URL Exploits This strike exploits a directory traversal vulnerability in Grafana. The vulnerability is due to improper sanitization for the plugin assets route. A remote, unauthenticated attacker could exploit the vulnerability by sending crafted HTTP requests to a target server. Successful exploitation can result in arbitrary file read in the context of the Grafana user.

Enhancements

Component Info
Apps Added two new parameters for DNS over HTTPS actions, with the name of "Custom HTTP Header" and "Custom HTTP Header Value" which add custom HTTP header to the GET/POST request if it already does not exist. If the provided HTTP header exists then the given value overrides it. The "Custom HTTP Header" field is case-insensitive in case of an override.
Security Malware and FileTransfer strikes using HTTP:POST are now sent by MULTI PART FORM DATA (a more modern approach) and can be reverted back by using "Global::RevertMalwarePOST" Evasion Option.