TOP MIDDLE EAST CYBER THREATS-26 APRIL 2018

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures for some of the largest enterprises in the region. As a result of this, we have our eyes keenly fixed on the cyber security threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top three cyber security threats that our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Careem Data Breach Affects 14 million Users

This is one of the biggest data breaches in the region that has undoubtedly exposed the information of many users within the Middle East. Our CTO, Nicolai Solling, wrote a blog about the impact of this and provided recommendations on what users can do to protect themselves. You can click here to read more about that.

Operation Parliament Targeting the Middle East

As part of our security monitoring operations, we noticed operation parliament which is utilizing previously unknown malware. The attacks appear to be geopolitically motivated, targeting governmental departments and large private entities across the Middle East. The objective of the attacks is to gain access to top legislative, executive and judicial bodies around the world. The cybercriminals are targeting selected victims through malware disguised as legitimate email attachments. Upon opening the attachments, victims unwittingly give the criminals access to their systems, enabling them to remotely gain control over their devices and mine data, as well as activate tools such as webcams.

Attack Description:

The malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with previously known malware. All the strings and settings were encrypted and obfuscated. Functionality was identified that enables HTTP communication with the C&C server and invokes “processcreate” based on parameters received as a response. The configuration and strings are encrypted using 3DES and Base64 encoding. Data sent to the C&C server is also encrypted using 3DES and Base64. Different keys are used for local and network encryption. The malware starts communicating with the C&C server by sending basic information about the infected machine. The C&C server then replies with the encrypted serialized configuration. The malware basically provides a remote CMD/PowerShell terminal for the attackers, enabling them to execute scripts/commands and receive the results via HTTP requests.

Recommendations:

• Educate users on being suspicious of unexpected emails and reporting them to IT security
• Ensure AV at endpoints is being properly and regularly updated
• Restrict giving Admin privileges to end user machines without a satisfactory justification
• Consider implementing security controls like application whitelisting to detect and block malicious programs
• Check whether AV can flag software that are packed with VM Protect for obfuscation as malicious
• Verify the legitimacy of the software before running it.

GOLD GALLEON Group Targeting the Shipping Industry

The Help AG CSOC encountered a group named GOLD GALLEON which is targeting the shipping industry and its associated companies that provide ship management services, port services and cash to master services.
GOLD GALLEON is a threat group based in Nigeria that uses social engineering schemes to gain access to corporate email accounts. They use spear phishing emails with attached malicious payloads to steal the email credentials of individuals responsible for handling business transactions. Once they have obtained these credentials, they can intercept emails between the two parties involved in a transaction and modify financial documents to direct funds to attacker-controlled bank accounts. GOLD GALLEON has targeted firms in South Korea, Japan, Singapore, Philippines, Norway, U.S., Egypt, Saudi Arabia, and Colombia.

Recommendations:

• Implement two-factor authentication (2FA) for any external access into corporate infrastructure
• Thoroughly check email addresses for accuracy and watch for small changes that mimic legitimate addresses
• Create detection rules that flag emails with extensions that are similar to company email addresses
• Limit the information that employees post to social media and to the company website, especially information about job duties and descriptions, management hierarchy, and out-of-office details

As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.
Blog By:
Ben Abraham, CSOC Lead at Help AG