Top Middle East Cyber Threats- 1 July 2019

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top cyber security threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
1) 4,800,000+ Exim Email servers affected by a Critical Vulnerability
Email servers running vulnerable versions of Exim Mail Transfer Agent (MTA) are currently under attack. Exim is an MTA used to deploy mail servers on Unix-like systems. The Exim servers, which are estimated to be running on most internet email servers are affected by a critical vulnerability, which can be exploited to gain permanent root access to the destination mail server via SSH.
The impacted versions of Exim MTA are v4.87 to v4.91 which are currently running on roughly 4,800,000+ machines. The vulnerability is tracked as CVE-2019-10149 and has been rated critical. By successfully exploiting this vulnerability an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
Attack Description:
At least two hacker groups have been observed exploiting this critical vulnerability, with one using a public internet server, and the other using a server located on the dark web.
The vulnerability nicknamed “Return of the Wizard” allows remotely-located attackers to send malicious emails to vulnerable Exim servers and run malicious code under the ‘Exim process’ access level, which on most servers is root.
The first wave of attacks started on June 9, when the first hacker group started sending out exploits from a command-and-control server located on the clear web, at http://173[.]212[.]214[.]137.
According to researchers, the attack is carried out by sending an email, wherein the SMTP dialog of that email, the RCPT_TO field gets an email address that contains a “localpart” crafted by the attackers to exploit the Exim vulnerability. Specifically, the attack uses a specially crafted Envelope from (532.MailFrom), which downloads a Shell script and runs it. The infected Exim server then executes the crafted local-part in its own user context, when it receives the email. Since users still run Exim as root, it is able to download a shell script that opens SSH access to the MTA server via a public key to the root user.
Prevention and Remediation:

• Identify vulnerable Exim servers in your environment by carrying out a vulnerability scan/assessment.
• Update the Exim MTA version on the servers to the latest update, which is v4.92.
• Verify that no unauthorized system modifications have occurred on the destination servers before applying the patch.
• Look for any unfamiliar cronjobs in the systems crontab and remove them.
• Make sure that recipient verification is enabled on the email servers.
• Apply the principle of Least Privilege to all systems and services.
• Remind users not to open emails, download attachments, or follow links provided by unknown or untrusted sources.

2) An Unwelcome Emissary to the Middle East
Unit 42 have recently observed that the threat group Emissary Panda has been installing web shells on SharePoint servers to compromise government organizations, especially in the Middle East.
The actors were found uploading a variety of tools to perform activities on compromised networks. These activities include dumping credentials, locating and pivoting to additional systems on the network, and more. In addition, it has been found that the use of tools to identify systems vulnerable to CVE-2017-0144 is the same as that of Eternal Blue.
Attack Description:
The Group’s web shell activity has been observed across three SharePoint servers which were hosted by two different government organizations in the Middle East. The actors successfully uploaded a total of 24 unique executables across these targeted SharePoint servers.
The tools uploaded to these web shells include legitimate applications such as cURL, and post-exploitation tools such as Mimikatz. The threat actors have also been observed using tools to scan for and exploit potential vulnerabilities within the network, such as the SMB vulnerability which was commonly exploited by Eternal Blue to move laterally to other systems on the network.
Based on the functionality of the various tools uploaded to these web shells, it can be assumed that the threat actors breach the SharePoint servers to use them as a beachhead. They then attempt to move laterally across the network via stolen credentials and exploiting other potential vulnerabilities.
The following versions of Microsoft SharePoint are known to be affected:

• Microsoft SharePoint Enterprise Server 2016
• Microsoft SharePoint Foundation 2013 SP1
• Microsoft SharePoint Server 2010 SP2
• Microsoft SharePoint Server 2019

One of the overlapping tools uploaded to these web shells is the cURL app, which could be used by multiple groups. Other tools are used by this adversary to locate other systems on the network (etool.exe), check if they are vulnerable to CVE-2017-0144, and pivot to them to using remote execution functionality. These tools are not custom made by this threat actor. Uploading of the HyperBro backdoor to one of the web shells was also observed for the same.
According to Microsoft’s recent advisory, this vulnerability was patched on March 12, 2019 and we first saw the web shell activity on April 1, 2019. This implies that the threat group quickly leveraged a known vulnerability to exploit Internet facing servers and gain access to targeted networks.
It can be assumed that the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 vulnerability followed by the uploading of legitimate tools that would sideload DLLs, specifically the Sublime Text plugin host and the Microsoft’s Create Media app, both of which we had never before seen being used for DLL sideloading.
Prevention and Remediation:

• Blacklist the attack’s known Indicators of Compromise (IoCs) on your security appliances to help prevent/detect any activities related to the same.
• Disable Remote Desktop Protocol (RDP) on the machines of users who don’t require such protocols to perform their daily activities.
• Exercise caution when providing credentials to suspicious web pages, URLs, files, processes, etc.
• All Microsoft SharePoint Server installations should be patched with the latest security update, dated 12 March 2019, using Microsoft Update, the Microsoft Update Catalog or the Microsoft Download Centre.
• If a SharePoint instance serves strictly as an on-premises solution, ensure that the server has no exposure to the Internet.
• Use multi-factor authentication for all login activities performed by users in your organization.

3) Microsoft Acknowledges BlueKeep Vulnerability
Microsoft has recently patched a vulnerability which allows remote attackers to execute arbitrary code and take control of a system via Remote Desktop Services without requiring any interaction from a user. Microsoft has confirmed this vulnerability can be exploited with “pre-authentication and requires no user interaction,” which makes this bug “wormable”, similar to 2017’s WannaCry ransomware.
By successfully exploiting this vulnerability, an attacker could install programs, view, modify, delete data; or create new account(s) with full user rights.
Vulnerability Description:
To exploit this vulnerability, the attacker would need to send a specially crafted request to the target systems via RDP. Dubbed BlueKeep (tracked as CVE-2019- 0708) this vulnerability affects Windows 2003, XP, Windows 7, Windows Server 2008 and 2008 R2 editions and could spread automatically to unprotected devices in the network.
Robert Graham from Erratica Security notes that large organizations could fix their “psexec” problem that allows such activity from being spread via normal user networking. He said that an organization may have only one WinXP machine that is vulnerable, and if not taken care of, could get infected with ransomware. If this device has a Domain Admin logged in when the worm breaks in, these credentials could be stolen which could further be used to log on to the Domain Controller. Then from the targeted Domain Controller, the worm could send a copy of itself to all the endpoints and servers within the organization using a tool like ‘psexec’.
For patching systems, organizations must discover all the devices on the network that are vulnerable. The ‘rdpscan’ tool is good for scanning small networks. For large networks, tools such as a ‘masscan’/’rdpscan’ combination can be used to rapidly scan multiple networks, subnets and asset ranges.
Despite the vulnerability’s criticality, no attacks have been recorded till date for the same. From recent media coverage, Help AG understands that most recent scanning/probing has been initiated for the purpose of security research.
Patches are currently available for Windows XP, 7, Server 2003, and Server 2008.
Prevention and Remediation:

• Identify vulnerable systems either through scanning or other means.
• Apply the latest patches from Microsoft for CVE-2019-0708 on all vulnerable/affected machines.
• If patching is not possible, disable RDP services on network-connected systems, if the system does not require such functions to perform daily or assigned activities.
• Where RDP services are required, restrict network access to RDP services for those systems/users for which there is valid business requirement.
• If appropriate, explicitly blocking port 3389 using a firewall or making it accessible only over a private VPN is recommended to mitigate the risk of exploitation.
• Enabling Network Level Authentication (NLA) to prevent unauthenticated exploitation.

As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.