Threat advisories

Top Middle East Cyber Threats – August 29, 2023

By helpag

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Threat Actor Targets the UAE with an Office 365 Phishing Campaign

Help AG CTI (Cyber Threat Intelligence) Team has identified an ongoing phishing campaign targeting organizations in multiple countries including the United Arab Emirates. The phishing campaign has been active since July 2023. The threat actors behind this campaign are distributing .html files containing heavily obfuscated JavaScript code, designed to generate a fake Microsoft login page. Unsuspecting users who enter their credentials into this fraudulent login interface are at significant risk of credential theft and potential further compromise.

Through the investigation, Help AG’s Cyber Threat Intelligence team has been successful in identifying key components of the attacker’s infrastructure. This is aiding ongoing efforts to mitigate the threat.

Recommendations:

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that email server is configured to block any suspicious files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors.
Ensure frequent backups are in place.
Enable MFA wherever possible.
Educate employees about detecting and reporting phishing / suspicious emails.

Microsoft Addresses OneNote Spoofing Vulnerability

Microsoft recently released an update about a spoofing vulnerability on OneNote. This CVE was addressed by updates that were released in August 2023.

The vulnerability is tracked with CVE-2023-36769 and rated as 4.6 in CVSS, allows a remote attacker to perform spoofing attack.

The bug exists due to incorrect processing of user-supplied data. A remote attacker can spoof document’s content.

Microsoft stated that this security issue was not seen to be exploited or disclosed publicly.

Recommendations:

Ensure all systems are patched and updated.

Cybercriminals Exploit Zero-Day and RCE WinRAR Vulnerabilities
From April 2023 onwards, cybercriminals have deftly taken advantage of a zero-day vulnerability found within WinRAR software and ZIP archive was crafted to deliver various malware families: DarkMe, GuLoader, Remcos RAT.

The assigned CVE for this vulnerability is CVE-2023-38831. Attackers were able to spoof the file extensions and hide the malicious scripts from the execution masquerading as a .jpg, .txt, or any file formats. These malicious archives were found distributed among at least eight public trading forums and targeted traders specifically.

WinRAR has also been affected by a now-fixed high-severity vulnerability, tracked as CVE-2023-40477 (and rated as 7.8 in CVSS score 7.8), that can allow remote execution of arbitrary code on a computer by opening a crafted RAR archive.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the processing of recovery volumes. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

WinRAR is a popular file compression and archival utility for Windows operating systems. The utility is affected by a now-fixed high-severity vulnerability, tracked as CVE-2023-40477 (and rated as 7.8 in CVSS score 7.8), that can allow remote execution of arbitrary code on a computer by opening a crafted RAR archive.

Recommendations:

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MS Office.
Enable software restriction policies and application whitelisting.
Ensure that email server is configured to block any suspicious.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Researchers Release PoC Exploit for Ivanti Sentry Flaw

Researchers have released a proof-of-concept (PoC) exploit code for critical Ivanti Sentry authentication bypass vulnerability CVE-2023-38035 (CVSS score 9.8).

The vulnerability could be exploited to access sensitive API data and configurations, run system commands, or write files onto the system. The vulnerability impacts Sentry versions 9.18 and prior. If exploited, this vulnerability enables an unauthenticated actor to access some sensitive APIs that are used to configure the Ivanti Sentry on the administrator portal (port 8443, commonly MICS). While the issue has a high CVSS score, there is a low risk of exploitation for customers who do not expose port 8443 to the internet.

Ivanti recommends that customers restrict access to MICS (Mobile Iron Configuration Service) to internal management networks and avoid exposing this to the internet.

Recommendations: