2018 ATI Network Test: A Year in Review
The Ixia Application and Threat Intelligence (ATI) Research Center team continued to keep Ixia products up to date with the ever-evolving connected world. From advancing network traffic generation tools to tracking malicious activities, the ATI team continues to enable and secure the connected planet. While modest at heart, we realize that the cyber universe is better and safer due to our work here in the ATI Research Center. It’s easier said than done, so in this blog, we want to highlight our contributions to customers who used the Ixia Network Test products in 2018.
It all starts with the technologies that allow people and businesses to operate in today’s connected world. It doesn’t matter where you are located, it matters that your network performs reliably, securely, and that you have the visibility needed to maintain those pertinent factors of your networked business needs. The products that switch, route, cache, distribute, store, and secure your networked business can only be truly tested and evaluated with the real-world content that is generated by the ATI Research Center.
We are always on the lookout, researching the most relevant application protocols to add to our suite. Internet of things (IoT) and Automotive are emerging technologies and we can see MTConnect and MQTT Over WebSocket being used more and more. Digital currency mining continued its trend in 2018, STRATUM being one of the relevant mining protocols. As more enterprises are moving their business operations into the cloud, hosted unified communication (UC) platforms are becoming the go-to standard. The Office365 suite of applications is one of the most relevant examples, together with its Skype integrated messaging platform. Social media continued to see a rise in global usage. While we already are covering most of the social media applications in our monthly Evergreen packages, we also added Instagram, Tumblr, and Reddit in 2018.
As network infrastructure and network devices became more complex over the years, more devices became protocol- and application-aware. Proxy devices support is relevant today and you can find it now in our 11 application mixes (AppMixes) that are proxy-enabled. This will allow customers to easily test proxy-enabled devices with minimal test configuration.
At the same time as companies are moving their business operations to the cloud, their security is an important aspect of the move to be considered. According to Gartner, “By 2022, 60% of large enterprises will use a CASB [Cloud Access Security Broker] to govern some cloud services, up from less than 20% today”. A CASB is being used by software as a service (SaaS) applications and can be used in conjunction with LDAP and reverse proxy. This functionality is now fully supported in our product.
As HTTPS has become the de facto standard of web applications, application-aware devices are using server name indicator (SNI) and common name (CN) to identify application flows. This is why it is important that Ixia’s application Super Flows use up-to-date SNI values. This year we took the time to review and update all our Super Flows with meaningful, up to date SNI values.
While TLS 1.3 is still in its incipient phase, TLS 1.2 is the most common encryption protocol for HTTPS applications. We created a dozen new Super Flows with support for TLS 1.2 that are using the RSA-AES128-GCM-SHA256 cipher and 2048-bit certificates for encrypting traffic. An interesting overview of the state of TLS can be found here: The current state of TLS.
The most important part of our application simulation is that the traffic looks as real in the lab as it is in real life. Therefore, we are striving to deliver real-life application profiles for our customers. For this purpose, new, modern AppMixes have been released over the course of the year, such as Keysight Enterprise Datacenter, a profile of modern, realistic Data center traffic, and Social Media Bandwidth and Cloud Applications, realistic representations of the top applications in their respective categories.
An interesting use case is that of transmission reliability of UDP-based application protocols. As we know, UDP does not implement at its core a retries mechanism to achieve transmission reliability. However, many UDP-based protocols like NTP, NFS, and SNMP provide implementation-specific retry mechanisms. To help our customers better optimize the performance of such applications, we have added new Super Flows simulating such applications. A more thorough description of this functionality can be found here: Optimizing Retries in UDP-Based Applications.
Keeping track of the latest and greatest threats in the wild is one of our main concerns here at the ATI Research Center. In that respect, we have added more content than ever before (70% more strikes and malware than the previous year).
In addition to our regular strike and malware updates, in 2018 we launched a brand-new service, bringing daily malware to our customers. This service provides all ATI subscribers with fresh, curated malware samples each day, by family, platform, and category. The ever-changing nature of malware attacks makes time your enemy when trying to keep up with them. Therefore, it is extremely important to have access to fresh malware samples all the time. For this purpose, we have partnered with ReversingLabs to accelerate and broaden the threat intelligence coverage that we deliver to our customers. To support the requirements of the daily update service, we implemented a brand-new Cloud Update Service that is now also being used by all the other ATI updates. More details about this new service can be found in this blog.
Looking back to the strikes of 2018, we tried to implement the most relevant and visible attacks. There are so many interesting attacks that we researched and implemented over the course of the year, selecting the most interesting to outline here was a difficult job.
Huawei HG532 Router Command Execution Vulnerability (CVE-2017-17215). We caught this attack in our ATI infrastructure in the beginning of the year, being exploited by a Mirai variant known as Satori. The impact of such vulnerabilities targeting home users is always potentially very destructive.
Adobe Reader Heap Overflow Vulnerability (CVE-2018-4990). Surely another Adobe Reader vulnerability is no big news, but what was interesting about the sample that the ATI team obtained and analyzed was that it contained 2 previously unknown zero-days.
Spectre and Meltdown (CVE-2017-5753 & CVE-2017-5754). These two vulnerabilities are probably the most widely covered security incident in the news in 2018. The two Intel CPU flaws attracted a lot of mainstream attention and have far-reaching implications for cloud deployments in the coming years. The fact that such deep vulnerabilities can exist unexposed in the architecture of the most used CPU in the world for such a long period of time shows why you can never assume 100% breach safety, no matter what.
Pivotal Spring Framework Spring-Messaging Module STOMP Remote Code Execution (CVE-2018-1270). This strike exploits a remote command injection vulnerability in the Pivotal Spring Web framework. The vulnerability exists due to insufficient validation of user-supplied input to a STOMP broker in the spring-messaging module. The vulnerability can be exploited by sending a specially crafted request to a STOMP broker, allowing arbitrary command execution in the context of the running service. The interesting thing about this strike that when running in one-arm mode, the strike will start a process on the remote vulnerable server, depending on the variant chosen.
Microsoft Windows Task Scheduler Local Privilege Escalation (CVE-2018-8440). This strike exploits a privilege escalation flaw in the Microsoft Windows Task Scheduler ALPC endpoint. The vulnerability exists by the fact that the Task Scheduler's ALPC endpoint doesn't impersonate the user that initiates the calls. This allows a low-privilege user to change the access control lists of an arbitrary file using the endpoint's "SchRpcSetSecurity" method. Successful exploitation may lead from arbitrary read/writes to code execution under SYSTEM privileges.
TCP Segment Smack (CVE-2018-5390) and IP Fragment Smack (CVE-2018-5391). These strikes exploit vulnerabilities in the TCP/IP stack of the Linux kernel. Since so many of the servers of the world are running Linux, a successful exploitation that can exhaust a target server's resource and lead to denial-of-service can potentially cause major issues in well-known services in the Internet.
ROBOT Attack Vulnerable Handshake and Scanner Simulation. This attack simulation is a slight variation of a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server. Vulnerable hosts are subject to an attacker being able to record and later decrypt the traffic.
Apache Struts RCE (CVE-2018-11776). This is the Equifax breach remix. Of course, you must have heard of the Equifax breach that exposed sensitive data of 143 million people. This highly visible breach was caused by the exploitation of Apache Struts. This vulnerability is similar in terms of exploitation conditions of the vulnerability that was at the root of the Equifax breach.
Drupalgeddon2 (CVE-2018-7600). This is another weapon for the attackers targeting one of the most used content management systems, Drupal. This vulnerability made over 1 million websites vulnerable to remote code execution. It was exposed after the incomplete fix of the original Drupalgeddon vulnerability.
PowerShell Empire Command and Control (C&C) Exploit. This is an Empire Python launcher backdoor. The Empire framework is a post-exploitation agent. The ATI team captured PowerShell launcher malware that are generated by Empire in the wild. After decoding the obfuscated scripts, we were able to analyze the HTTP protocol used to communicate with the C&C server.
DDoS Memcached Reflection Flood. This is a new type of reflection attack that abused the protocol implementation of Memcached, which is used by Google, Facebook, Twitter, and many other major websites, having a global impact. We have implemented a Super Flow that can be used to simulate this high-scale DDoS attack that hit companies like Cloudflare, China Telecon and Arbor Networks last year. This way, our customers can check their defenses against such type of attacks.
STAY AHEAD OF DANGER with Application and Threat Intelligence Subscription (Your subscription for security)
Using advanced surveillance techniques and methodologies, Ixia’s dedicated team of application and security researchers identify, capture, and provide ongoing updates to your ATI subscription service. From our proprietary research, the ATI team aggregates newly discovered attacks and malware, providing application insight that includes protocols, security attacks, and product enhancements on over 400 applications tracked by ATI. Additionally, we provide intelligence to simulate realistic conditions and relevant attacks for a large database of exploits, including simulation of over 100 evasion techniques.