At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructure to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cyber security threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, I share the top three cyber security threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

1) UAE Among Top Targets for Smartphone Surveillanceware

Security researchers have discovered a set of custom Android and iOS surveillanceware tools called Stealth Mango (Android) and Tangelo (iOS). The former, which is the more active of the two, is being used in targeted surveillance operations against government officials, members of the military, and activists in the United Arab Emirates, Iraq, India, Pakistan, and Afghanistan. Furthermore, government officials and civilians from the United States, Australia, the United Kingdom, and Iran have had their data indirectly compromised after interacting with Stealth Mango victims.

Attack Vectors

The threat actors have relied on social engineering to infect target devices and have hosted Stealth Mango samples on their own fake app store. They typically lure victims via phishing, but it appears they may also have physical access to victims’ devices.

After infecting victims’ devices, attackers use azurewebsites[.]net hosted by Microsoft to serve the malicious page. This watering hole URL, used to distribute the malware, pretends to be the third-party Android app store APKMonk, but it is not. All links on the site to other apps will fail or re-direct to the Stealth Mango APK. Attackers do a convincing job of making the APK seem legitimate by including fake information regarding the package name, version info and past versions of the app.

Attack Execution

Once downloaded and installed, all Stealth Mango samples launch their services at the highest priority possible and contain at least two background services which initially upload all data from an infected device and then track all changes that occur as soon as they happen.

The malware also has categories for each type of information that, in later variants, is used as a model to create databases. These categories are also used to upload data into similarly named folders on command and control (C2) infrastructure. These are • CR – Call Records • VD – Video • GL – Gallery • AU – Audio

Recommendations:

  • Ensure BYOD policies related to company Wi-Fi or guest Wi-Fi are hardened.
  • Refrain from using Android/iOS applications for sharing critical information.
  • Advise users not to click any links in e-mails received from unknown/third-party sources. You can learn more about email security from this previous Help AG blog.
  • Do not install personal applications on corporate mobile devices.
  • It is a good practice to have an Antivirus installed on all endpoint devices. Again, we’ve got tips on securing the endpoint in this blog.
  • Watch out for suspicious links and only download Apps from the official Play Store and App Store.
2) Legitimate Websites Exploited to Deliver Powerful Ransomware

Attackers have been hosting Gradcrab, one of the most widely distributed ransomware variants today, on legitimate websites with poor security measures. As per research, the attackers have been using a series of compromised websites with high vulnerabilities to deliver the malware via emails- meaning users now need to be wary about email from sites and services they would otherwise trust.

Once installed, Gandcrab encrypts files with the .CRAB extension, changes the victim’s background, and leverages the Tor and Namecoin domains for C2 communications. Namecoin is a decentralized DNS service that utilizes a peer-to-peer network instead of relying on a central authority.

Attack Description

The attack was uncovered with the discovery of a large-scale spam campaign that used disguised email addresses (from legitimate by compromised domains) with the subject – “Your Order # {Random digits}”. The email tricked users into clicking a zip attachment containing a word document with an embedded macro. The successful execution of this macro resulted in pulling the payload off the remote server.

In this campaign, the malware is seen to leverage certutil.exe, a command line utility installed as part of Certificate Services. The exploitation of certutil.exe forces the execution of the payload in the TEMP folder and Gandcrab is then installed on the target system.

The compromised websites delivering the payload have been found to be running phpMyAdmin, MYSQL, out-of-date WordPress with multiple flaws and default credentials.

Recommendations:

  • Review your organization’s email security and gateway blocking effectiveness regularly.
  • Advise users not to click any links in e-mails received from unknown/third-party sources.
  • Immediately inform your cybersecurity team if you receive any suspicious e-mail with attachments.
  • Do not activate MACROS for Microsoft Office format files received from unknown/unreliable sources.
  • Monitor any internal traffic to the following Herbal-treatment-advisory[.]com and pushpakcourier[.]net domains
3) Chinese Hackers Unleash Powerful Phishing Campaign

A new campaign involving the Chinese group– ‘Winnti umbrella’– is targeting gaming studios and high-tech businesses. They primarily seek code signing certificates and software manipulation, with financial motivations being a likely secondary objective. So far, the main targets have been in the United States, Japan, South Korea, and China.

Attack Description

In the earliest phases of its campaign, the Group focused on sending technical job applications to software engineering, IT and recruiting staff. These emails contained links that sent victims fake resumes in DOC, XLS, PDF or HTML format. Once opened, the malicious files began to download malware. At the same time, the attackers were observed using the Browser Exploitation Framework (BeEF) to compromise victim and download Cobalt Strike, while also checking the target Operating system to deliver the right malware for the host environment.

Phishing remains the Group’s chief attack vector with recent campaigns focused on Office 365 and Gmail. The attackers phish for credentials to a user’s cloud storage, and in cases where the victim uses O365 and/or G-suite for enterprise file storage, they manually review the contents for valuable data. If code signing certificates are stored, the primary mission has been accomplished, as these can be easily downloaded. In other cases, the attackers attempt to use other files and documentation to help them traverse or gain privileges on the network.

Once the attackers gain remote access to the network via malware, stolen credentials or remote access tools, the operation continues. Though their post-compromise actions have become more efficient and automated, the internal reconnaissance is still performed by scanning the internal network for open ports 80, 139, 445, 6379, 8080, 10022, and 30304.

Recommendations:

  • Review your organization’s email security and gateway blocking effectiveness regularly.
  • Ensure AV at endpoints is being properly updated and check if the AV has signatures for all the known bad hashes.
  • Inform users not to open unexpected emails, and to report to the IT security team any unexpected or suspicious emails that arrive.
  • Restrict giving Admin privileges to end user machines without a satisfactory justification.
  • Limit the information that employees post to social media and to the company website, especially information about job duties and descriptions, management hierarchy, and out-of-office details.
  • Monitor the posts 139, 6379, 10022 and 30304.
  • Monitor all endpoint logs to check for any unauthorized software installations.

As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.

Blog By:

Shaikh Azhar, Security Analyst at Help AG