Threat advisories

Top Middle East Cyber Threats- 1 March 2020

Mar-2020 4 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
Phishing email campaign abusing the fear of Coronavirus
Cybercriminals are leveraging the coronavirus outbreak to trick people into downloading malware on their devices. Before you open the next document or forwarded file you received about the recent Coronavirus outbreak be very careful.
The Coronavirus outbreak in China has reached emergency status. During this situation, many directives and documents are floating around the internet, claiming to be state news and facts about the Coronavirus disease and even pointers on how to stay safe.
Alarmingly, a report by Kaspersky has revealed these files are actually trojans and malware, masked in the headlining topic. Kaspersky has also identified the most popular malware files being used by hackers globally. You can get the list of all the files here.
However, given that such filenames are impossible to identify for common user, what you should look out for is by accessing the details of a file shared with you, identify whether a disguised word document, PDF or video has either of it. This is particularly crucial, and is important for you to note, to ensure that both you and your devices remain safe from being infected with one form of the Coronavirus of the other.
Another report by Proofpoint stated that Coronavirus-themed email attacks are increasing and are focused on concerns around disruptions to global shipping. These emails feature malicious word documents which exploits an old Microsoft Office vulnerability (CVE-2017-11882) which leverages Equation Editor and installs an information stealing malware called AZORult. This malware was also used to 2016 by some attackers to carry out a ransomware attack.
Recommendations:

Use cloud security solutions to make sure that you have a comprehensive protection against a wide range of threats.
Make sure to check the file extensions of the files you downloaded. Documents and Video files do no use .EXE file format.
Do no click on suspicious links that provide exclusive content, instead obtain information from trustworthy sources.
Organizations and people should be vigilant while handling emails and links associated with Coronavirus.

CVE-2020-0688 (Remote Code Execution on Microsoft Exchange Server)
Microsoft recently released a patch to address a vulnerability associated with remote code execution in the Microsoft Exchange Server including the mail servers as well. The same is termed as “CVE-2020-0688”. This flaw exists in the Microsoft Exchange because this software is not able to handle the objects present in the memory.
It was classified as a high severity vulnerability because of authentication i.e. this can be exploited by a remotely authenticated user via the internet as well. This vulnerability results because the Exchange Server fails to create the unique cryptographic keys during the installation time. Having access to these keys allows an authenticated user with a mailbox to pass arbitrary objects which runs as SYSTEM. In order to fix this, the keys are randomized at the time of installation.
Microsoft listed this vulnerability having an Exploit index of 1, meaning that they expect to see the exploits within a month of the release of patch. Expect some more exploitations in the coming days or weeks.
Recommendations:

Patches are necessary to ensure that the systems are up to date and protected against the security vulnerabilities present in the software
Always install the updates from the official vendor website.

JhoneRAT Malware
A new malware called “JhoneRAT” is infecting systems in the Middle East. By checking the keyboard layout, it is targeting Arabic speaking users and infecting their systems. It is very hard to detect as it won’t run on VMs. Researchers say that JhoneRAT has various anti detecting techniques including making use of Google Drive, Google Forms and Twitter.
This malware was written from scratch so it uses one of the known malicious code that can be identified and flagged by most antivirus tools. The countries targeted are Egypt, Libya, UAE, Omar, Bahrain, Kuwait, Algeria etc.
The malware is distributed via document files. CISCO Talos identified three Microsoft Office Documents that were used.
This campaign started in November 2019 and it is still ongoing,” the researchers say. “At this time, the API key is revoked, and the Twitter account is suspended. However, the attacker can easily create new accounts and update the malicious files in order to still work.
Recommendations:

Network-based detection is important but must be completed by system behavior analysis as well.
Advanced Malware Protection is suited to prevent the execution of such type of malwares.
Web Security Appliance (WSA) scanning can prevent access to malicious websites and can also detect the malwares used in this attack.
E-mail security needs to be monitored continuously as it can block the malicious emails sent by threat actors.
NGFW and IPS can also help in detecting malicious activities related to this attack.

References: