ATI Update ATI-2023-04

New Protocols & Applications (4)

Name Category Info
DoIP Testing and Measurement Diagnostics over Internet Protocol (DoIP) is a communication protocol that enables remote diagnostics of automobiles and other industrial/vehicular systems. It facilitates the transmission of protocol messages from Electronic Control Units (ECUs), such as Unified Diagnostics Services (UDS), over IP.
P-GW Pilot Packet Testing and Measurement The Pilot Packet feature is used in LTE/5G core to share key information about a subscriber session, such as subscriber identity and subscriber IP address, to an external element. When the subscriber allocates or deallocates IP address during an event trigger, a "pilot" packet is generated. Using this information new service such as Subscriber Analytics are enabled and sent in UDP transport.
QuillBot Feb 2023 Chat/IM QuillBot is a text editing and paraphrasing tool.
Steam Client Feb 2023 Games Steam is a video game digital distribution service.

New Superflows (22)

Name Category Tags Info
Bandwidth HAR Replay HTTP/2 over TLS1.2 Testing and Measurement HARSimulation
HTTP/2
Simulates HAR produced from random crawling of a Wikipedia page (about HAR file) as of May 2022. There are 3 HTTP hosts and about 150 HTTP transactions (excluding browser cache retrievals) which are replayed in HTTP/2 over TLS1.2.
Bandwidth HAR Replay HTTP/2 over TLS1.3 Testing and Measurement HARSimulation
HTTP/2
Simulates HAR produced from random crawling of a Wikipedia page (about HAR file) as of May 2022. There are 3 HTTP hosts and about 150 HTTP transactions (excluding browser cache retrievals) which are replayed in HTTP/2 over TLS1.3.
ChatGPT HAR Replay HTTP/2 over TLS1.2 Social Networking/Search Productivity
AI
HARSimulation
HTTP/2
ChatGPT is a powerful chatbot launched by OpenAI in November 2022. It simulates the HAR collected from the ChatGPT web application as of February 2023 including different user actions like login, chatting with the ChatGPT bot and logout. Here all the HTTP transactions are replayed in HTTP/2 over TLS1.2.
ChatGPT HAR Replay HTTP/2 over TLS1.3 Social Networking/Search Productivity
AI
HARSimulation
HTTP/2
ChatGPT is a powerful chatbot launched by OpenAI in November 2022. It simulates the HAR collected from the ChatGPT web application as of February 2023 including different user actions like login, chatting with the ChatGPT bot and logout. Here all the HTTP transactions are replayed in HTTP/2 over TLS1.3.
DoIP Testing and Measurement IoT
ICS
SCADA
Simulates a basic use of Unified Diagnostics Services (UDS) over Diagnostics over Internet Protocol (DoIP) as of February 2023, where the client or the tester and the Electronic Control Unit (ECU) establish a connection via the DoIP Gateway before transferring data.
DoIP Bandwidth Testing and Measurement IoT
ICS
SCADA
Simulates a basic use of Unified Diagnostics Services (UDS) over Diagnostics over Internet Protocol (DoIP) as of February 2023, where the client or the tester and the Electronic Control Unit (ECU) transfer data via the DoIP Gateway.
P-GW Pilot Packet Testing and Measurement Testing and Measurement Simulates the scenario when a single P-GW pilot packet is generated containing subscriber information such as MSISDN, IMSI and IPv4.
QuillBot Feb 2023 Chat/IM AI
Productivity
Web
SimulatedTLS
QuillBot is a text editing and paraphrasing tool. This simulates the scenario when a user opens QuillBot website, paraphrases some texts and uses grammar checker tool.
Steam Client Feb 2023 Games Cloud
Streaming
SimulatedTLS
Steam is a video game digital distribution service. This simulates the scenario when a user opens steam client, visits store, opens a game and finally adds it to cart.
Bandwidth HTTP h-- Testing and Measurement PacMix This is a high average-packet-size version of the BreakingPoint Bandwidth HTTP superflow. In this Super Flow the client performs a single GET request of a video file.[RFC 1035][RFC 1945] The size of the response data has been increased.
Bandwidth HTTP l-- Testing and Measurement PacMix This is a low average-packet-size version of the BreakingPoint Bandwidth HTTP superflow. In this Super Flow the client performs a single GET request of a video file.[RFC 1035][RFC 1945] The size of the response data has been decreased.
FTP h-- Data Transfer/File Sharing PacMix This is a high average-packet-size version of the BreakingPoint FTP superflow. It simulates FTP in extended passive mode. Once the user is presented with the server's welcome banner, he enters a username and password. After the client has logged in he enters EPSV mode and gets a directory listing. After he lists the data in the directory, he exits and re-enters EPSV mode again trying to RETR data from the server. The server sends the data and the client proceeds to STOR its own data at the server site. [RFC 959]. It also works through proxy but does not support any out of band messages. The size of the attached data to be sent has been increased.
FTP l-- Data Transfer/File Sharing PacMix This is a low average-packet-size version of the BreakingPoint FTP superflow. It simulates FTP in extended passive mode. Once the user is presented with the server's welcome banner, he enters a username and password. After the client has logged in he enters EPSV mode and gets a directory listing. After he lists the data in the directory, he exits and re-enters EPSV mode again trying to RETR data from the server. The server sends the data and the client proceeds to STOR its own data at the server site. [RFC 959]. It also works through proxy but does not support any out of band messages. The size of the data to be sent has been decreased.
Netflow V9 h-- System/Network Admin PacMix This is a high average-packet-size version of the BreakingPoint Netflow V9 superflow. It simulates a Netflow V9 session in which a report is sent to the Netflow server.
Netflow V9 l-- System/Network Admin PacMix This is a low average-packet-size version of the BreakingPoint Netflow V9 superflow. It simulates a Netflow V9 session in which a report is sent to the Netflow server. The number of the records and packets to be sent has been modified.
Oracle Database h-- Database PacMix This is a high average-packet-size version of the BreakingPoint Oracle Database superflow. This Super Flow simulates an Oracle Database session in which the user logs in to an Oracle server.[RFC 1035] The size of the column data has been increased.
Oracle Database l-- Database PacMix This is a low average-packet-size version of the BreakingPoint Oracle Database superflow. This Super Flow simulates an Oracle Database session in which the user logs in to an Oracle server.[RFC 1035] The size of the column data has been decreased.
SMTP Email h-- Email/WebMail PacMix This is a high average-packet-size version of the BreakingPoint SMTP Email superflow. It simulates an SMTP Email session, in which the client connects to the server, tells where to send the data, and then sends the message.[RFC 1035][RFC 5321] The size of the attachment has been increased.
SMTP Email l-- Email/WebMail PacMix This is a low average-packet-size version of the BreakingPoint SMTP Email superflow. It simulates an SMTP Email session, in which the client connects to the server, tells where to send the data, and then sends the message.[RFC 1035][RFC 5321] The size of the attachment has been decreased.
Syslog Bandwidth System/Network Admin PacMix This Super Flow simulates the Syslog protocol, which allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. The delay actions have been removed for the bandwidth version of it. [RFC 5424].
Syslog Bandwidth h-- System/Network Admin PacMix This is a high average-packet-size version of the BreakingPoint Syslog Bandwidth superflow. It simulates the Syslog protocol, which allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them.[RFC 5424] The size of the message content has been increased.
Syslog Bandwidth l-- System/Network Admin PacMix This is a low average-packet-size version of the BreakingPoint Syslog Bandwidth superflow. It simulates the Syslog protocol, which allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them.[RFC 5424] The size of the message content has been decreased.

New Application Profiles (1)

Name Info
Basic Enterprise Template - PacMix Includes examples of basic applications from Keysight Enterprise Datacenter mix that are compatible with PacMix average-packet-size control tool.

New Security Tests (1)

Name Info
Google Ad for Fake Anydesk Campaign Feb 2023 This strike list contains 4 strikes simulating the 'Google Ad for Fake Anydesk Campaign Feb 2023'.

1. The first strike simulates a malicious Google Ad that advertises an Anydesk download. It tries to trick the user into clicking a link to download what appears to be the Anydesk software, but instead redirects to a site hosting a malicious MSI download of TA505 malware.
2. The second strike simulates the download of the TA505 MSI malware via a TLS request. The retrieved file is a msi installer with the title AnydeskSetup to entice the victim to open it.
3. The third strike simulates the download of additional DLL files via a TLS request. After the MSI installer malware is executed, a dll is downloaded to allow the TA505 malware to remain persistent by placing the malware in the same location but randomizing the name and some contents to modify the hash. After this dll is executed with rundll32 an additional dll is downloaded.
4. The fourth strike simulates the TCP traffic that gets generated after the malware is executed in the 'Google Ad for Fake Anydesk Campaign Feb 2023'. Once the executable is run, 2 follow on DLLs are downloaded, one of which makes the malware persistent and the other is responsible for outbound traffic from the host machine. The C2 traffic is sent over TCP port 443 but is not encrypted and looks to exfiltrate data like the Windows version, computer name, current user, and location and current name of the persistent malware sample that gets stored in C:/ProgramData/.

It contains the following sequence of strikes:
1) /strikes/phishing/ta505_anydesk_phishing_ad.xml
2) /strikes/malware/apt/ta505_anydesk_feb_2023_campaign/malware_c4e9e9a06001c6197de2ea2fec3d2214.xml
3) /strikes/botnets/apt/ta505_anydesk_feb_2023_campaign/ta505_anydesk_feb_2023_dll_retrieval.xml
4) /strikes/botnets/apt/ta505_anydesk_feb_2023_campaign/ta505_anydesk_feb_2023_campaign_command_control.xml

# Strike ID Name Description
1 P23-2ijv1 Google Ad for Fake Anydesk Campaign Feb 2023 This strike simulates a malicious Google Ad that advertises an Anydesk download. It tries to trick the user into clicking a link to download what appears to be the Anydesk software, but instead redirects to a site hosting a malicious MSI download of TA505 malware.
2 C23-Madq1 Google Ad for Fake Anydesk Campaign Feb 2023 - TA505 Malware File Download This strike simulates the download of the TA505 MSI malware via a TLS request. The retrieved file is a msi installer with the title AnydeskSetup to entice the victim to open it.
3 C23-Bb9z1 Google Ad for Fake Anydesk Campaign Feb 2023 - TA505 DLL Downloads This strike simulates the download of additional DLL files via a TLS request. After the MSI installer malware is executed, a dll is downloaded to allow the TA505 malware to remain persistent by placing the malware in the same location but randomizing the name and some contents to modify the hash. After this dll is executed with rundll32 an additional dll is downloaded.
4 C23-Bd1h1 Google Ad for Fake Anydesk Campaign Feb 2023 - Command and Control Traffic This strike simulates the TCP traffic that gets generated after the malware is executed in the 'Google Ad for Fake Anydesk Campaign Feb 2023'. Once the executable is run, 2 follow on DLLs are downloaded, one of which makes the malware persistent and the other is responsible for outbound traffic from the host machine. The C2 traffic is sent over TCP port 443 and looks to exfiltrate data like the Windows version, computer name, current user, and location and current name of the persistent malware sample that gets stored in C:/ProgramData/.

New Strikes (7)

CVSS ID References Category Info
10.0 E23-epcg1 CVE-2022-39952CVSSCVSSv3CWE-73URL Exploits This strike exploits an externally controllable path vulnerability in FortiNAC. This vulnerability is due to an unauthenticated endpoint '/configWizard/keyUpload.jsp' accepting zip file which when unzipped leads to files being written at an attacker controlled path. An unauthenticated remote attacker can send a HTTP packet with zip file which can create a new cron job on the server ultimately leading to remote code execution as the root user.
10.0 E23-1h3z1 CVE-2022-4223CVSSCVSSv3CWE-78URL Exploits This strike exploits a remote code injection vulnerability in pgAdmin. The vulnerability is due to insufficient input validation of the utility_path parameter sent to the validate_binary_path endpoint. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to the vulnerable endpoint. Successful exploitation would result in execution of arbitrary code in the security context of the service. *NOTE: While running this strike in OneArm mode, a file /tmp/poc is created on the server.
9.0 E23-ggxy1 CVE-2023-22374CVSSCVSSv3CWE-134URL Exploits This strike exploits a format string vulnerability in the iControl SOAP endpoints of F5 BIG-IP and BIG-IQ. The vulnerability is due to improper handling of requests sent to the web interface. A remote Authenticated attacker can exploit the vulnerability by sending crafted requests to the target server. Successful exploitation could result in remote code execution within the service of the target server.
7.8 E23-esob1 CVE-2022-44267CVSSCVSSv3CWE-404URL Exploits This strike exploits a denial of service vulnerability in ImageMagick. This vulnerability is due to improper input validation of textual chunk types containing the "profile" keyword when parsing PNG files. A remote attacker could exploit this vulnerability by enticing the victim to open the crafted file through ImageMagick. Successfully exploiting this vulnerability could result in denial of service.
7.8 E23-esoc1 CVE-2022-44268CVSSCVSSv3CWE-200URL Exploits This strike exploits an arbitrary file read vulnerability in ImageMagick.This vulnerability is due to improper input validation of textual chunk types containing the "profile" keyword when parsing PNG files. A remote attacker could exploit this vulnerability by enticing the victim to open the crafted file through ImageMagick. Successfully exploiting this vulnerability could result in disclosure of file contents.
7.5 E23-cgtf1 CVE-2021-35587CVSSCVSSv3CWE-502URL Exploits This strike exploits an insecure deserialization vulnerability in Oracle Access Manager. The vulnerability is due to insufficient validation of requests sent to the OpenSSO Agent endpoint. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to a vulnerable server. Successful exploitation can result in arbitrary code execution under the security context of the affected server.
7.2 E23-3ev81 CVE-2017-13156CVSSCVSSv3CWE-266URL Exploits This strike exploits a DEX (Dalvik executable files) injection vulnerability in Android APK files signed with V1 signature scheme. The vulnerability takes advantage of the loose verification nature of V1 scheme and DEX file parsing which makes a file possible to be both a valid APK and DEX file at the same time. An attacker can inject malicious DEX code into a legitimate V1 signed APK without breaking its signature which can be installed as an update to the legitimate app resulting in in the malicious update APK gaining the privileges of the legitimate APK. *NOTE: The strike creates a modified APK by prepending a random classes.dex file which doesn't break its signature. One way of detecting the attack is to look for DEX file prepended to a v1 signed android APK.

Defects Resolved

Component Info
Apps Fixed the length calculation in S7 Communication Write variable request packet. Added a new item in the JSON format of "Write Var Configuration File", which is updated in the parameter description.
Apps Improved app helper error reporting due to path issues.
Security Variants meta was updated for Strike E15-4x301.
Security The reporting of FTP active transactions now shows proper tuple information.

Enhancements

Component Info
Apps

HTTP/2 support was added in HTTP Archive Record (HAR) Simulation flow.

"HTTP Version" and "Max HTTP2 Concurrent Stream" these 2 new parameters are added under the "HTTP Archive Record (HAR) Simulation" flow.

"Replay HTTP1.1 / TLS1.2" and "Replay HTTP1.1 / TLS1.3" these action names are changed to "Replay HTTP / TLS1.2" and "Replay HTTP / TLS1.3" correspondingly.

Modified the description of the "Maximum Hosts" parameter present under both the actions "Replay HTTP / TLS1.2" and "Replay HTTP / TLS1.3".

Apps PacMix 2.0 ESH Module: this module has been updated to use low/high average-packet-size version of superflows (when available) to change the average-packet-size of a given app profile while maintaining the assigned weights per superflows. The commands remain the same as explained in the User Guide chapter.