Threat advisories

Top Middle East Cyber Threats – August 15, 2023

By helpag

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Charming Kitten APT launches Nation-State Cyber Attacks

An alleged nation-state actor has targeted dissident organizations and individuals in Germany.

The attack was attributed to the APT group Charming Kitten (known as APT35, Phosphorus, Newscaster, and Ajax Security Team). Charming Kitten is known for targeting journalists and activists in the Middle East, as well as organizations in the United State of America and entities in the U.K., Israel, Iraq, and Saudi Arabia.

The cyber spies used social media to gather information on the targets and as a vector for social engineering attacks. The hackers used false personals to get in touch with the victims and establish a relationship that allowed them to compromise their targets.

Once a rapport is established with the victims, the hackers sent them messages containing a link to an online chat that leads to a phishing page.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure that email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Midnight Blizzard Conducts Targeted Social Engineering Over Microsoft Teams

The Iranian threat actors (APT34) were discovered recently attacking organizations in the United Araba Emirates.

Microsoft has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM). the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities. Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts.

Microsoft stated that the campaign has affected fewer than 40 unique global organizations. The type of organizations targeted in this activity indicates potential espionage intentions directed at government, non-government organizations (NGOs), IT services and technology providers, manufacturing companies, and media providers

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and IoCs.
Educate employees about detecting and reporting phishing / suspicious emails.
Enable strong password policy with MFA.

F5 Security Update Fixes Multiple Vulnerabilities

F5 has released security advisory for the month of August, in which three High severity and four medium severity vulnerabilities have been fixed.

Three High severity vulnerabilities affecting BIG-IP APM, APM Clients, BIG-IP (all modules) and descriptions-

CVE-2023-38418 – The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process.
CVE-2023-38138 – A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user.
CVE-2023-36858 – An insufficient verification of data vulnerability exists in BIG-IP Edge Client for Windows and macOS that may allow an attacker to modify its configured server list.

Four medium severity vulnerabilities affecting BIG-IP (all modules), F5OS-A, BIG-IQ Centralized Management-

CVE-2023-3470 – Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password for the Crypto User account. The predictable nature of the password allows an authenticated attacker with TMOS Shell (tmsh) access to the BIG-IP system, or anyone with physical access to the FIPS HSM, the information required to generate the correct password. On vCMP systems, all guests share the same deterministic password, allowing those with tmsh access on one Guest to access FIPS HSM partitions belonging to other Guests.
CVE-2023-38423 – A cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user.
CVE-2023-36494 – Audit logs on the F5OS-A system may contain undisclosed sensitive information.
CVE-2023-38419 – An authenticated attacker with guest privileges or higher can cause the iControl SOAP process to terminate by sending undisclosed requests.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Microsoft Fixes Office Zero Day RCE Exploited in the Wild

Microsoft has released a crucial update for its Office software to counter a remote code execution (RCE) vulnerability, known as CVE-2023-36884, which has previously been exploited in attacks.

The vulnerability impacts Microsoft Office products from 2013 to 2021 including Microsoft Office 365 Apps.

The RomCom threat group had been exploiting this vulnerability as a zero-day, using malicious Microsoft Office documents to execute code remotely for both financial gain and espionage.

In order for exploitation to happen, a user must open an attachment sent in email and the malicious office document would bypass guard mechanisms such as the message asking users if they want to enable content on office files received via email or downloaded from internet.

Many APT groups rely upon a user opening a malicious file in order to gain execution and Microsoft office files are commonly used in this regard.

RECOMMENDATIONS