Top Middle East Cyber Threats- 4 March 2019

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
1) Rietspoof Goes Viral on Instant Messengers
Researchers have discovered a new malware family, Rietspoof, that targets users via messaging clients such as Facebook Messenger and Skype.
The malware was observed to use multiple stages, each with very unique capabilities, to compromise its target(s). With one acting as a bot that can download/upload files, start processes, or initiate a self-destruct function and another behaving like a “run-of-the-mill” downloader. The malware which continues to show a significant increase in its activities uses several valid certificates to sign related files.
While the data on this malware is extensive, its motives, intended targets and modus operandi are still unknown.
Attack Description:
The first stage has been observed to be delivered by messaging clients and the delivered file contains a highly obfuscated Visual Basic Script with a hard-coded and encrypted CAB file. This CAB file is expanded into an executable which is digitally signed with a legitimate signature, mostly using Comodo CA.
This “.exe” file is then used to install a downloader.
It is observed that, before reaching the third and fourth stages, this malware gains persistence using a technique which involves adding a “WindowsUpdate.lnk” to the Windows start-up folder. This enables it to run an expanded Portable Executable (PE) binary after each reboot.
It is Rietspoof’s third stage that drops the bot payload, which is used by the malware’s authors to start processes on the compromised machine(s).
The final stage for this malware acts as a malware downloader, attempting to establish an authenticated channel through a NTLM protocol over TCP with its corresponding Command and Control (C&C) server, whose IP address is hardcoded. Once this downloader establishes this connection, it tries to grab either the final payload or yet another malware stage.
Rietspoof authors have been continuously updating this malware and they also seem to have multiple versions running with communication obfuscation features being added and removed. Because of these changes, the malware-infected files are rarely detected by most antivirus software.
Prevention and Remediation:

• Explicitly blacklist the attack’s Indicators of Compromise on your security appliances.
• Use application whitelisting where applicable.
• Exercise caution when receiving unsolicited, unexpected, or suspicious messages, files, or emails and when clicking URLs.
• Admins must monitor and control the use of file types by individuals in their organization. This can mean denying the use of scripts, and macro enabled files.
• For those users who require tools for the execution of scripts, admins must restrict their activities to a virtual environment, if possible.

2) Microsoft Windows Challenged by DoS
Microsoft Security Centre has disclosed that Windows Server and Windows 10 Servers running Internet Information Services (IIS) are vulnerable to denial of service (DoS) attacks. All IIS servers running Windows Server 2016, Windows Server Version 1709, Windows Server Version 1803, as well as Windows 10 (versions 1607, 1703, 1709, and 1803) are affected by this DoS issue.
Attack Description:
Microsoft researchers have explained that a remote attacker can exploit the IIS resource exhaustion bug and trigger a denial of service condition, effectively blocking or slowing down the entire system.
IIS servers shipped with Windows 10 and Windows server 2016 are impacted by this vulnerability when processing HTTP/2 requests. HTTP/2 Settings frames are used by endpoints to exchange defined settings parameters with each other. The HTTP/2 protocol doesn’t define any practical limit on the number of settings parameters included in a single settings frame and there is no limit on the number of times such settings frames can be exchanged.
Microsoft says that in some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed. A malicious client using HTTP/2 can exploit this fact to make an HTTP/2 server system temporarily unstable, by increasing the CPU usage to 100% before the connections are terminated by the Internet Information Services (IIS).
Prevention and Remediation:

• Microsoft recommends installing all available February patches including the updates – KB4487006, KB4487011, KB4487021, and KB4487029 which were released specifically to address the IIS DOS bug.
• After applying the updates, IIS administrators will be able to customize the HTTP/2 SETTINGS threshold and prevent the bug from freezing IIS web services. Microsoft has not defined a default threshold, and this should be set by the company after assessment.
• To set these limits, Microsoft added the following registry entries on vulnerable Windows 10 releases:

Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Name: Http2MaxSettingsPerFrame
Type: DWORD
Data: Supported min value 7 and max 2796202. Out of range values trimmed to corresponding min/max end value.
 
Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Name: Http2MaxSettingsPerMinute
Type: DWORD
Data: Supported min value 7. Smaller value trimmed to the min value.
For the newly added registry values, the system will require a service restart / reboot.
As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cybersecurity needs.