ATI – 2023 Year in Review

The Application and the Threat Intelligence team at Keysight strive to create application and security content that both reflects the modern internet’s realism as well as extreme versions of this that will be used to test systems in supercritical conditions. ATI released more security and application content in 2023 than in the previous years while increasing the quality or complexity.

Content by the Numbers

The unique Strike count is up year-over-year, while also releasing new evasions this was done through a continued focus on detailed research in conjunction with framework leverage.

Applications, protocols and webapps releases are trending towards more realistic and performant versions while also increasing the overall breadth of the applications.

Figure 1. ATI Yearly Content chart

Daily Malware aims to deliver fresh 100+ samples of malware binaries that are less than 24 hours; this is done while also providing a cross-section of operating systems and host types. Monthly Malware is a more curated take on the most important samples of the last month, then additional samples (“Polymorphic”) are created by ATI to provide never seen hash values. Android support is new for 2023.

Figure 2. ATI Yearly Malware Chart

Highlights

All ATI content is of exceptional quality, there are some protocols or vulnerabilities that are either innately more complex, or the execution is worth note.

Strike Highlights

CVE-2021-21974 -VMware ESXi OpenSLP Heap Overflow

CVE-2023-23397 - Microsoft Outlook PidLidReminderFileParameter Credential Leak

CVE-2023-46604 - Apache ActiveMQ Openwire Insecure Deserialization

CVE-2023-44487 - HTTP2 Rapid Reset DoS

CVE-2023-22515 - Atlassian Confluence Data Center and Server Setup Action Privilege Escalation

CVE-2023-27350 - PaperCut MF and NG SetupCompleted formSubmit Authentication Bypass

CVE-2023-0669- Fortra GoAnywhere MFT LicenseResponseServlet Insecure Deserialization

CVE-2023-36884 - Storm-0978 Phishing Campaign Aug 2023 - Microsoft Office OLE Zero Day

CVE-2022-41082 - Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2022-41040 - Microsoft Exchange Server Server-Side Request Forgery Vulnerability

New Evasion - HTTP/2 as a transport for FileTransfer strikes in the security component

Application Highlights

HAR Simulation – While this is not a network-based protocol, it is worth mentioning. This ...

Microsoft Enterprise Office 365 “cluster” - 21 of the 29 applications in the Enterprise suite.

Artificial Intelligence Applications “cluster” - The 10 most popular AI applications are supported and will continue to grow.

Top 50 Internet Websites, Similar Web – 46 of the top 50 internet websites are currently supported. The remainder are regional and can be customer-created using the HAR Simulator feature.

Applications

Kafka - protocol is a high-throughput, distributed messaging protocol designed for building real-time data pipelines and streaming applications.

GLBP- (Gateway Load Balancing Protocol) enables automatic selection and load balancing among multiple available gateways in a network, providing both high availability and efficient resource utilization.

5G A1 - A1 Interface is an HTTP-based control-plane protocol used in O-RAN for the communication between Near-RT-RIC and Non-RT-RIC entities.

ODoH - Oblivious DNS over HTTPS is a new protocol designed by Cloudflare, to improve the security of existing DNS over HTTPS by introducing proxy between client and target or resolver.

DoIP - Diagnostics over Internet Protocol (DoIP) is a communication protocol that enables remote diagnostics of automobiles and other industrial/vehicular systems. It facilitates the transmission of protocol messages from Electronic Control Units (ECUs), such as Unified Diagnostics Services (UDS), over IP.

WireGuard - This flow emulates the WireGuard protocol which is a free and open-source suite for efficient implementation of encrypted virtual private networks (VPNs), and was designed with the goals of ease of use, high speed performance, and low attack surface. This protocol utilizes UDP as the transport layer and can also be used as an alternative to other VPN protocols such as OpenVPN and IPSec.

Google Drive File Upload - Google Drive is a cloud-based file storage and synchronization service. Simulates the scenario where a user uploads a file to Google Drive using web browser as of Sep 2023.

X (formerly Twitter) Oct 2023 - x.com (also formerly known as Twitter), is an American microblogging and social networking service on which users post and interact with messages known as tweets. This website allows registered users to sign in, browse their timeline, post tweets and follow other user accounts.

iPhone Persistent System Oct 2023 - This simulates TLS traffic generated by the common background services of an Apple iPhone device with iOS 16 operating system.

Android Persistent System Oct 2023 - This simulates TLS traffic generated by the common background services of a Samsung Galaxy S22 device with Android 13 operating system including AT&T IMS.

Blogs

The team posted 17 articles on original research, product development, and product usage.

KRPC Protocol: The Language of Torrent Peers

A Quick Look into ChatGPT's Network Traffic

Remote Code Execution with ESXi - CVE-2021-21974 VMware ESXi Heap Overflow

Promiscuous Permissions: Catching Your Android Apps in the Act

Network Traffic Analysis of Google Bard

DoIP: How We Talk to (the Internet of) Things

The Emergence of Google Ad Malware: Understanding the Threat

Meeting Mayhem: Understanding the Outlook Appointment Vulnerability

CVE-2023-2249: Wordpress Wpforo Plugin Root Cause Analysis

GravityRAT Analysis: Into the Malware Targeting Android

Vulnerability Prioritization from the Perspective of a Test Vendor

CVE-2023-2986: WordPress Plugin Vuln

ATI coverage for the CISA alert on 2022 Top Routinely Exploited Vulnerabilities

HTTP/2 Transport Protocol is now available in BreakingPoint Security Component

Is Your DDoS Mitigation Ready for 398 Million Requests Per Second?

Storm-0978 Campaign Analysis

Utilizing HAR Files in Network Testing

Moving Forward

There are practices in place to determine and choose what content will go into the releases. However, customer requests get weighted significantly into this decision tree; if customers have request for content or features, please reach out to your Keysight contact to elevate a request.

ATI in BreakingPoint

Keysight's Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPointnow have access to attack campaigns for different advanced persistent threats, allowing them to test their currently deployed security control's ability to detect or block such attacks

limit
3