TOP MIDDLE EAST CYBER THREATS- 21 JUNE 2018

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cyber security threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top three cyber security threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

1) Middle East Attacked ‘in a Flash’

An Adobe Flash zero-day vulnerability (CVE-2018-5002) is being exploited to target individuals and organizations in the Middle East. This stack-based buffer overflow flaw impacts Adobe Flash Player versions 29.0.0.171 and earlier ones on Windows, MacOS, and Linux, as well as Adobe Flash Player for Google Chrome, and can be exploited to achieve arbitrary code execution.
Besides the patch for CVE-2018-5002, Adobe has also rolled out security updates for two “important” vulnerabilities—including Integer Overflow bug (CVE-2018-5000) and an Out-of-bounds read issue (CVE-2018-5001)—both of which lead to information disclosure.
Attack Description
The exploit uses a Microsoft Office document to download and execute an Adobe Flash exploit to victims’ computers. Exploitation begins with download and execution of a remote Shockwave Flash (SWF) file, the first stage of which includes an RSA+AES cryptosystem that protects the subsequent SWF stage, containing the actual exploit. This next phase uses the same cryptosystem to download and execute the final payload, a shellcode that provides backdoor functionality to the system, or stages additional tools.
In one of the analyzed attacks, the weaponized document titled “الراتب الاساسي.xlsx” (translated to “basic_salary”) is an Arabic language document that purports to inform the target of employee salary adjustments. Most of the job titles included in the document are diplomatic in nature, specifically referring to salaries with positions including secretaries, ambassadors, and diplomats. Within the document, the threat actors utilize the domain “dohabayt[.]com” for malicious content.
Recommendations:

• Immediately update Adobe Flash Player to version 30.0.0.113 via the software’s in-built update mechanism or by visiting the Adobe Flash Player Download Center.
• Keep operating systems and software up-to-date with the latest patches.
• Don’t click any links in e-mails received from unknown/ third-party sources.
• Scan for and remove suspicious email attachments because if a user opens a malicious attachment and enables macros, the embedded code will execute the malware on the machine.
• Consider blocking email messages from suspicious sources that contain attachments.

2) Cryptominers go on the Prowl

Security researchers have uncovered a traffic manipulation and cryptocurrency mining campaign infecting organizations within the finance, education and government sectors. Dubbed ‘Operation Prowli’, the threat actors use various attack techniques including exploits, password brute-forcing and weak configurations with the objective of making money rather than espionage or promoting ideology.
Campaign Objectives
The attackers use the r2r2 worm to take over computers and use mining pools to launder their gains. They prefer to mine Monero, a cryptocurrency focused on privacy and anonymity to a greater degree than Bitcoin.
A second source of revenue is traffic monetization fraud. Traffic monetizers, such as roi777, buy traffic from ‘website operators’ such as the Prowli attackers and redirect it to domains on demand. Website ‘operators’ earn money based on the volume of traffic sent through roi777. The destination domains frequently host different scams, such as fake services, malicious browser extensions and more.
Attack Description
Prowli attackers have relied on several techniques to carry out their attacks. These include

• Hacking machines running Secure Shell (SSH) via a self-propagating worm spread by brute-force credential guessing to download and run a cryptocurrency miner.
• Attacking Joomla! Servers running the K2 extension with file download vulnerability
• Accessing the internet facing configuration panel of DSL modems using a URL such as http://:7547/UD/act?1 and passing in parameters exploiting a known vulnerability
• Hacking WordPress servers via infectors including brute force login to the WP administrative panel, and exploiting old vulnerabilities in WordPress installations
• Exploiting servers running HP Data Protector exposed to the internet (over port 5555) using a 4-year-old vulnerability (CVE-2014-2623 which can be used to execute commands with system privileges)
• Targeting systems with Drupal, PhpMyAdmin installations, NFS boxes and servers with exposed SMB ports open to brute-force credential guessing
• Exploiting compromised servers which host a well-known open source web shell named “WSO Web Shell”. These PHP-based shells provide access and remote code execution on different compromised machines, frequently running vulnerable versions of WordPress

Recommendations:

• Patch your servers and use strong passwords.
• Follow the major CMS vendors’ WordPress and Drupal hardening guides.
• For PHP websites, follow the OWASP provided hardened PHP configuration.
• Scan and remove suspicious email attachments.
• Do not click on any links in e-mails received from unknown/ third-party sources.
• Educate users about traffic redirection to malicious sites which are disguised as legitimate advertisements.

3) Hidden Cobra Strikes Again

Researchers have identified Trojan malware variants- referred to as TYPEFRAME– linked to North Korean cyber-attack group HIDDEN COBRA. According to reports from trusted third-parties, HIDDEN COBRA actors have likely been using multiple Trojans since 2009 to target multiple victims globally- including the media, aerospace, financial, and critical infrastructure sectors.
Attack Description
Analysis of submitted samples has found the Trojan could be in the form of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications (VBA) macros. These files have the ability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim’s firewall to allow incoming connections.
Recommendations:

• Maintain up-to-date antivirus signatures and engines and apply the latest patches to operating systems.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” i.e. the extension matches the file header.
• Monitor users’ web browsing habits and restrict access to sites with potentially malicious content.
• Exercise caution when using removable media such as USB thumb drives, external drives, and CDs.
• Scan all software downloaded from the Internet prior to executing.

As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.
Blog By:
Ben Abraham, CSOC Lead at Help AG