Threat advisories

Top Middle East Cyber Threats – October 18, 2023

By helpag

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Microsoft Reveals Possible DDoS Attack Targeting the UAE

Microsoft linked a threat actor tracked as Storm-1133 to a series of attacks aimed at private organizations.

The fourth annual Digital Defense Report published by Microsoft linked a series of attacks against organizations to a threat actor that is tracking the campaign as Storm-1133.

The Storm-1133 activity was observed in early 2023 and is targeting private-sector energy, Defense, and telecommunications organizations. Most of the attacks are distributed denial-of-service (DDoS) attacks that also targeted critical infrastructure.

The threat actors include KILLNET and Anonymous Sudan hacktivist group that have launched previous DDoS campaigns against multiple organizations and countries including the United Arab Emirates.

RECOMMENDATIONS

     Ensure having sufficient bandwidth in your organization and ensure redundancy by spreading traffic using load balancers.
     Configure your network hardware against DDoS attacks by filtering unwanted ports and protocols.
     Deploy DDoS protection solutions to protect your servers from both network and application layer DDoS attacks.
     Have a response plan in placeas this can help you quickly and effectively respond to the attack and minimize its impact.
     Ensure all systems are patched and updated.
     Avoid clicking or opening untrusted or unknown links, files, or attachments.
     Enable software restriction policies and application whitelisting.
     Enforce the Restricted PowerShell script execution policy.
     Monitor your network for abnormal behaviours.
     Ensure frequent backups are in place.

Microsoft Fixes New Vulnerabilities in October Patches

Microsoft has fixed 105 new vulnerabilities in the October 2023 update addressing CVEs in Microsoft Windows and Windows Components: Exchange Server, Office and Office Components, ASP.NET Core and Visual Studio, Azure, Microsoft Dynamics, and Skype for Business.

Of the new patches released, 13 are rated critical, 1 high and 91 as Important in severity level.

Two of the new CVEs released are listed as publicly known (CVE-2023-36563 & CVE-2023-41763) and three are listed as being exploited in the wild at the time of release.

CVE-2023-36563 – Microsoft WordPad Information Disclosure Vulnerability: This bug is one of the two being exploited in the wild. Successful exploitation could lead to the disclosure of NTLM hashes. Microsoft doesn’t list any Preview Pane vector, so user interaction is required. In addition to applying this patch, you should consider blocking outbound NTLM over SMB on Windows 11.

CVE-2023-41763 – Skype for Business Elevation of Privilege Vulnerability: This is the other bug under active attack this month, and it acts more like an information disclosure than a privilege escalation. An attacker could make a malicious call to an affected Skype for Business server that results in the server parsing an HTTP request to an arbitrary address. This could result in disclosing information, which could include sensitive information that provides access to internal networks.

CVE-2023-44487 – Rapid Reset Attack: Attackers can abuse the Layer 7 stream cancellation feature within HTTP/2 to create a DoS across a service. The problem is shared across many services, and this Microsoft patch addresses any affected Microsoft products.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Vulnerabilities Discovered in Citrix ADC and Citrix Gateway

Two vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that contain Critical unauthenticated buffer-related vulnerabilities.

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 

       NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
       NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
       NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
       NetScaler ADC 13.1-FIPS before 13.1-37.164
       NetScaler ADC 12.1-FIPS before 12.1-55.300
       NetScaler ADC 12.1-NDcPP before 12.1-55.300

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is vulnerable.

CVE	Description	Pre-requisites	CVSS
CVE-2023-4966	Sensitive information disclosure	Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server	9.4
CVE-2023-4967	Denial of service	Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server	8.2

RECOMMENDATIONS

Ensure all systems are patched and updated.

F5 Security Update Fixes Multiple Vulnerabilities

F5 has recently released security advisory in which 10 High severity and 6 Medium severity and 3 Security Exposure related vulnerabilities have been fixed.

Zero-day vulnerability called as “HTTP/2 Rapid Reset Attack” (CVE-2023-44487) affecting to HTTP/2 protocol, allows a denial of service because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. This is affecting multiple products such as – BIG-IP Next (all modules), BIG-IP Next SPK, BIG-IP Next CNF, BIG-IP (all modules), NGINX Plus, NGINX OSS, NGINX Ingress Controller.

To mitigate this issue, F5 recommends using HTTP and disabling HTTP/2. Alternatively, if HTTP/2 cannot be disabled, the impact of this issue can be reduced by lowering the number of allowed outstanding concurrent requests per HTTP/2 connection.  

F5 Distributed Cloud Services are not affected by this vulnerability.

RECOMMENDATIONS

Ensure all systems are patched and updated.

FortiGuard Labs Fixes Multiple Vulnerabilities

FortiGuard Labs have released security advisory for the month of October that has fixed 24 vulnerabilities in multiple products. Categorisation marks 2 as Critical, 8 High, 11 Medium and 3 Low Severity vulnerabilities.

Below are the details of Critical and High Vulnerabilities affecting on – FortiSIEM, FortiWLM, FortiManager, FortiAnalyzer, FortiMail, FortiEDR, FortiOS, FortiADC.

CVE-2023-34992 – FortiSIEM – Remote unauthenticated OS command injection
CVE-2023-34993 – FortiWLM – Unauthenticated command injection vulnerability
CVE-2023-42791 – FortiManager & FortiAnalyzer – Path traversal via unrestricted file upload
CVE-2023-34989 – FortiWLM – Authenticated command injection vulnerability
CVE-2023-36556 – FortiMail – Email account takeover in same web domain
CVE-2023-41679 – FortiManager – Improper inter ADOM access control.
CVE-2023-33303 – FortiEDR – Session API token does not expire after a renewal.
CVE-2023-42788 – FortiManager / FortiAnalyzer – OS command injection
CVE-2023-41841 – FortiOS – Improper authorization via prof-admin profile
CVE-2023-25607 – FortiManager, FortiAnalyzer, FortiADC – Command injection due to an unsafe usage of function

RECOMMENDATIONS

Ensure all systems are patched and updated.

GDS Ransomware Campaign Targets Multiple Countries

A new security threat has been identified by Help AG Cyber Threat Intelligence Team, the Hacktivist group T.Y.G Team has publicly announced their intention to initiate a ransomware attack campaign targeting multiple countries. The group has named this specific ransomware the “GDS” or “Gaza Digital Storm”.

The T.Y.G Team is a hacktivist group known for their associations with Anonymous Sudan and the Russian KILLNET group. They have previously been implicated in cyberattacks aimed at Saudi Arabia and the United Arab Emirates.

We will continue to monitor the situation closely and provide updates as they become available.

RECOMMENDATIONS