At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top two cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
1) Attackers go Phishing in the Middle East
We have observed a phishing campaign being targeted at organizations in the Middle East. The campaign involves sending spam emails to multiple users in an organization. These phishing emails pretend/appear to come from legitimate sources but are used to deceive the recipient into sharing personal/classified data.
These emails were sent with the subject “New Order” from the domain @printweekmea.com. The email consisted of 2 encrypted excel file attachments, which were considered malicious by several threat engines.
The observed domain is from a legitimate source. The company (printweekmea) is a monthly magazine for the printing industry – and other similar services operating in the Middle East and Africa region. The email originated from the source IP – 220.127.116.11; the IP reputation was found to be safe and resolves to atninfoc.directrouter[.]com. This could possibly mean that the activity was performed using a spoofed mail exploiting this domain.
On executing the excel files in the email attachment, we can observe the below series of activities:
- It uses network protocols on unusual ports.
- It spawns multiple processes in a short span.
- In order to evade any detection, the spawned process sleeps for more than two minutes.
- Document was found to be downloading files although no macro is present.
- Contacted Domain was hxxp://castedteam.ddns[.]net/
- Contacted Hosts:
- TCP traffic to 18.104.22.168 on port 1112 was observed.
- UDP connection to 22.214.171.124 was established.
- TCP traffic to 126.96.36.199 on port 80 was found to be sent without a HTTP header.
- TCP traffic to 188.8.131.52 was observed on port 1112.
- Blacklist domain(s) that have been marked as malicious in threat feeds or other threat intel sources.
- Train employees on a regular basis regarding cyber security practices that must be followed in order to minimize internal threats.
- Educate users to be cautious when using personal credentials and avoid uploading classified data to external domains unless this is in line with IT policies.
- Multi-factor authentication should be deployed to prevent hackers from exploiting compromised user credentials.
Furthermore, spam emails can be generally identified/differentiated from genuine emails on the basis of some observable features such as:
- A sense of urgency as the subject of the email; for example, a threat that unless you act immediately your account may be closed.
- A forged web domain could be used where only a single character could differentiate between the legitimate and spam domain.
- A suspicious request for personal information such as username, password or bank details.
- An un-expected email from a trusted user or an organization.
- An image containing an embedded link that redirects to a suspicious website.
2) Denial of Service Attacks on Devices with Linux Kernel Vulnerabilities
A Linux Kernel Version 3.9 vulnerability was found to affect devices running on this kernel version and its corresponding flavour. The vulnerability occurred due to the inefficient IPv4 and IPv6 fragment reassembly algorithms present in the IP stack used by the kernel. Over the years, increases in the IP fragment reassembly queue size have not been compensated with necessary developments of the reassembly algorithms, in the IP stack. As a result, the incremental changes in queue sizes have not been managed, and the observed vulnerability, CVE-2018-5391 exploits this shortcoming.
The vulnerability if exploited could permit an un-authenticated, remote attacker to perform a denial of service (DoS) condition on the targeted device. Known as FragmentSmack, this is not a Linux-only threat; the vulnerability affects all versions of Windows 7 through 10 (including 8.1 RT), Server 2008, 2012, 2016 and other Core installations that do not have the latest set of security updates/patches released as part of the September 2018 Patch Tuesday updates.
FragmentSmack enables a TCP fragmentation type of attack that prevents reassembling of the packets on the recipient’s end. Attackers could send multiple 8-byte sized IP fragments consisting of random starting offsets. By then withholding the last fragment, they could exploit the worst-case complexity of linked lists in reassembling the IP fragments.
Here is a list of vendors who are exposed to this vulnerability.
- Install the latest set of security updates/patches released as part of the September 2018 Patch Tuesday updates for Windows machines. If this isn’t possible, we recommend disabling fragments reassembly.
- Pro-active health and hygiene monitoring for CPU usage, memory exhaustion, etc. should be conducted on all perimeter devices to identify/detect any attempt made to exploit this specific vulnerability.
- Reduction in the IPv4/IPv6 threshold values for the queue size is recommended to assist in mitigating any attempted attacks.
- Patches/updates released must be installed via the recommended path, as advised by the vendor.
- Administrators can leverage access control lists (ACLs), Control Plane Policing (CoPP) or other rate-limiting measures to control and limit the flow of fragmented packets that may reach vulnerable systems.
- Off-device mitigations such as external firewalls or infrastructure ACLs can also control the flow of IP fragments which are directed towards the management interfaces or control planes of the vulnerable devices.
- When considering/performing software upgrades, customers should consult the relevant vendors to identify non-vulnerable versions of their respective products.
- Help AG recommends performing a comprehensive assessment of assets within your environment, as this vulnerability may have affected previously un-patched assets or network devices with embedded Linux Operating Systems and the vulnerable kernel software.
As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.
Shaikh Azhar, Cyber Security Analyst at Help AG