At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
APT34 Employs SideTwist Trojan over Phishing Emails
Iranian based threat actor APT34 disguised as a marketing services company called GGMS, launched attacks against corporate targets infecting with SideTwist Trojan.
This APT group known as OilRig, Helix Kitten is known for targeting multiple sectors in Middle Eastern Countries in the past.
In their latest campaign, macro embedded malicious word document – “GGMS Overview.doc” drops the trojan SideTwist and performs C2 communication using User-Agent: WinHTTP Example/1.0
It can further receive attacker instructed commands to execute commands or program files issued by attacker and upload local files back to C2.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that your email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviours.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
VMware Update Addresses Vulnerabilities in Aria Operations Networks
VMware released a security update to address multiple vulnerabilities in Aria Operations for Networks version 6.x including a critical authentication bypass vulnerability, the bug tracked as CVE-2023-34039 and rated 9.8 in CVSS score. A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI.
VMware also fixed another CVE which is tracked as CVE-2023-20890 and rated 7.2 in CVSS, the vulnerability described as Arbitrary File Write and it allows an authenticated malicious actor with administrative access to VMware Aria Operations for Networks can write files to arbitrary locations resulting in remote code execution.
The vulnerabilities have been fixed in VMware Aria Operations Networks version 6.11, there are no workarounds available to mitigate these security issues.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Emotet Resurges with New Infection Vectors
Emotet (also known as Geodo and Heodo) is a well-known Banking Trojan that also functions as a downloader/ dropper of other malware. In January 2021, Emotet’s infrastructure was taken down – but returned by November that year and increased its operations in 2022 and early 2023. Emotet remains a dangerous and resilient malware because its threat actors deploy multiple distinct infection methods (such as malicious Macros, VBS, WSF, ZipBombing, LNK files, and HTA files) in a short span of time.
When Emotet resumed operations in March 2023 after a small hiatus, the initial infection vector was a heavily padded Microsoft Word document with a macro. Soon thereafter, following a policy enforced by Microsoft, they moved from Word documents to OneNote sections. In the latest versions of Emotet payloads, we have observed significant changes in its TTPs, including new delivery vectors to evade detection mechanisms.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that your email server is configured to block any suspicious files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviours.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
Charming Kitten’s New Backdoor ‘Sponsor’ Targets U.A.E
Researchers discovered a recent campaign targeting various entities in Brazil, Israel, and the United Arab Emirates, using a new backdoor named “Sponsor” that is attributed to the Iranian threat actor Ballistic Bobcat (also known as Charming Kitten).
Charming Kitten is an Iran-aligned advanced persistent threat group that targets education, government, and healthcare organizations, as well as human rights activists and journalists. It is most active in Israel, the Middle East, and the United States.
The adversaries obtained initial access by exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers by first conducting meticulous scans of the system or network to identify potential weaknesses or vulnerabilities, and subsequently targeting and exploiting those identified weaknesses.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that email server is configured to block any suspicious files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviours.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
Google Chrome Update Fixes a Critical Zero Day
Google published a security update to address a critical vulnerability in Chrome browser that are fixed now in Chrome latest version (116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows).
The vulnerability is a Heap buffer overflow in WebP and tracked as CVE-2023-4863. Google is aware that an exploit for CVE-2023-4863 exists in the wild.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
REFERENCES
https://blog.nsfocus.net/apt34sidetwist/
https://www.vmware.com/security/advisories/VMSA-2023-0018.html
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
