| Name | Category | Info |
|---|---|---|
| Chess Jun 2022 | Games | Chess (or Chess.com) is an internet chess server where users can play chess with another user or an AI bot. |
| Udemy Jun22 | Voice/Video/Media | Udemy, Inc. is a for-profit massive open online course provider aimed at professional adults and students. The website allows the users to sign in, search and enroll to a course. |
| Name | Category | Tags | Info | Chess Jun 2022 | Games | SimulatedTLS | Chess (or Chess.com) is an internet chess server where users can play chess with another user or an AI bot. |
|---|---|---|---|
| Udemy Jun22 | Voice/Video/Media | Education | Simulates the use of the Udemy as of June 2022 where a user gets the sign in page, signs into the Udemy website, browses the feed, searches for a course, then starts to watch a course before signing out. |
| Udemy Jun22 Browse | Voice/Video/Media | Education | Simulates the use of the Udemy as of June 2022 where a user gets the sign in page, signs into the Udemy website, browses the feed and signs out. |
| Udemy Jun22 Enroll and Start Course | Voice/Video/Media | Education | Simulates the use of the Udemy as of June 2022 where a user gets the sign in page, signs into the Udemy website, enrolls to a course and starts watching it before signing out. |
| Udemy Jun22 Search | Voice/Video/Media | Education | Simulates the use of the Udemy as of June 2022 where a user gets the sign in page, signs into the Udemy website, searches a course and signs out. |
| Name | Info | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Follina Turian Jun 2022 Campaign | Follina, also known as CVE-2022-30190, is a vulnerability within the Microsoft Support Diagnostic Tool. Attackers have been leveraging this vulnerabilty to execute PowerShell payloads in order to download additional malware like Turian. This strikelist contains 3 strikes simulating the 'Follina Turian Jun 2022 Campaign'. 1. The first strike simulates the download of a Microsoft Word document. If the document is opened, an embedded OLE Object will make a call to an external website to download an HTML document. 2. The second strike simulates the download of this HTML file. This document takes advantage of a vulnerability in msdt.exe, also known as CVE-2022-30190 'Follina', as well as several PowerShell commands to retrieve the final payload. 3. The third strike simulates the download of the Turian malware. The final payload is the Turian malware that once executed will reach out to a C2 server in order to provide the attacker with a host of malicious functionality. It contains the following sequence of strikes: 1) /strikes/malware/apt/follina_turian_jun_2022_campaign/malware_06727ffda60359236a8029e0b3e8a0fd11c23313.xml 2) /strikes/malware/apt/follina_turian_jun_2022_campaign/malware_b11edf05b9f5bef2c98a46af5c8646fbf74e4a9f.xml 3) /strikes/malware/apt/follina_turian_jun_2022_campaign/malware_719bd19c3561031cb056c896869d0804f6988ad8.xml
|
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 10.0 | E22-ei2l1 | CVE-2022-30525CVSSCVSSv3CWE-78URL | Exploits | This strike exploits a command injection vulnerability in Zyxel Firewall. The vulnerability is due to improper input validation in the CGI component. A remote, unauthenticated attacker could exploit this by sending a maliciously crafted request to the CGI component. A successful attack may result in remote code execution in the security context of nobody user. |
| 7.5 | E22-7og41 | CVE-2019-12196CVSSCVSSv3CWE-89 | Exploits | This strike exploits an SQL injection vulnerability in Zoho ManageEngine NetFlow Analizer. The vulnerability is caused by insufficient validation of parameter DeviceId. Successful exploitation could allow an attacker abilities to execute SQL queries on the target server. |
| 7.5 | E22-ec8s1 | CVE-2022-22972CVSSCVSSv3CWE-287URLURL | Exploits | This strike exploits an authentication bypass vulnerability in Vmware vRealize Automation. The vulnerabiltity is due to improper authentication logic implementation wherein if a different host address is provided in the request, Vmware will reach out to the host to check if authentication is successful or not. A remote unauthenticated attacker can send a crafted HTTP request with an attacker controlled address in the Host field which might lead to gaining administration level access. |
| 7.5 | E22-7sma1 | CVE-2019-17602CVSSCVSSv3CWE-89 | Exploits | This strike exploits an SQL injection vulnerability in Zoho ManageEngine OpManager. The vulnerability is caused by insufficient validation of parameter category. Successful exploitation could allow an attacker abilities to execute SQL queries on the target server. |
| 7.5 | E22-eeom1 | CVE-2022-26134CVSSCVSSv3CWE-74URL | Exploits | This strike exploits an OGNL injection vulnerability in the Confluence Server and Data Center. The vulnerability is due to improper validation of the URL of a HTTP request. A successful attack can result in arbitrary command execution in the context of the server process. |
| 5.0 | D22-ec1r1 | CVE-2022-22719CVSSCVSSv3CWE-665URLURL | Denial | This strike exploits a denial of service vulnerability in Apache httpd. The vulnerability is due to use of uninitialized memory when processing a request. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation could lead to crash of the server and with extended exploitation may lead to denial of service conditions. |
| Component | Info |
|---|---|
| Apps | Added new parameter "Maximum Transactions Per Connection" for HTTP replay actions. It restricts each session to limit the number of request responses from UI. (** HAR Simulation flow requires BPS 9.22) |
| Apps | Fixed empty flows error when max transactions is set too low in HAR Simulation flows. (** HAR Simulation flow requires BPS 9.22) |
| NewStrikeList | Added new strikelist 'Deserialization Strikes' which includes strikes that uses the attack vector 'deserialization' for exploitation. |
| NewStrikeList | Added new smart strikelists for CISA 2021: 'CISA 2021 Additional Routinely Exploited Vulnerabilities' and 'CISA 2021 Top Routinely Exploited Vulnerabilities'. |
| StrikeEvasion | Added a new evasion option which does not change the default but allows the FTP evasions to also work for s2c based strikes. |