Threat advisories

Top Middle East Cyber Threats – May 13th, 2025 

By helpag

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats. 

New OneDrive Sync Feature Poses Security Risks: A Threat to Corporate Data Privacy

Starting June 2025, Microsoft will enable a OneDrive Sync feature by default that prompts users on business devices to sync personal Microsoft accounts alongside corporate data. No administrative action is required for activation. If accepted by the user, this change introduces risks such as malware infection, data exfiltration, and privacy concerns.

This change undermines the long-standing separation between personal and enterprise data.

Once synced:

Malware risk: Personal files synced to enterprise machines could introduce malware.

Data exfiltration: Users may transfer corporate data to their personal OneDrive accounts.

User privacy: Personal users could unintentionally expose their own data on managed systems.

This upcoming OneDrive change requires immediate attention. Organizations must proactively configure policies before the June 2025 rollout to prevent unauthorized personal account syncing and protect corporate data.

RECOMMENDATIONS 

Deploy the DisableNewAccountDetection policy to suppress prompts while still allowing users to manually configure personal accounts.

Implement the DisablePersonalSync policy to fully block personal OneDrive syncing on corporate devices.

Enforce Conditional Access to prevent unmanaged devices from accessing OneDrive.

Deploy DLP rules to restrict file sharing and monitor sensitive data movement.

Audit existing OneDrive clients for any linked personal accounts.

Educate users on policy violations and potential insider threat risks

D-Link Releases Security Updates Addressing Critical Vulnerabilities

D-Link has released a total of 28 security patches, including 14 high-severity and 14 medium-severity fixes. These updates address multiple remote command injection and buffer overflow vulnerabilities affecting legacy router models such as DIR-600L, DIR-605L, DIR-619L, and DIR-890L — all of which are no longer supported by the vendor. Notable CVEs include CVE-2025-4441, CVE-2025-4349, CVE-2025-4350, CVE-2025-4442, and CVE-2025-4450.

RECOMMENDATIONS    

Ensure all systems are patched and updated.

Microsoft Addresses Critical Vulnerabilities in Azure and Power Platform

Microsoft has released a security update addressing 6 vulnerabilities, including 4 critical and 2 high-severity issues. The critical vulnerabilities include CVE-2025-29972 (SSRF in Azure Storage), CVE-2025-29827 (privilege escalation in Azure Automation), CVE-2025-47733 (SSRF in Microsoft Power Apps), and CVE-2025-29813 (privilege escalation in Azure DevOps due to improper handling of pipeline job tokens). The high-severity vulnerabilities include CVE-2025-33072 (improper access control in Azure) and CVE-2025-47732 (remote code execution in Microsoft Dataverse).

RECOMMENDATIONS    

Ensure all systems are patched and updated.

Google Releases Security Update for Chrome WebAudio Vulnerability

Google has released a security update addressing a medium-severity vulnerability in Google Chrome, which has been fixed in the latest version 136.0.7103.92/.93 for Windows and Mac, and 136.0.7103.92 for Linux). This flaw, tracked as CVE-2025-4372, is a Use After Free vulnerability in the WebAudio component. This type of issue arises when a program accesses memory after it has been freed, potentially leading to crashes, unpredictable behavior, or in more severe outcomes such as remote code execution or privilege escalation.

RECOMMENDATIONS    

Ensure all systems are patched and updated.

Apache Tomcat Fails to Validate Input, Triggers DoS Risk

A vulnerability has been identified in Apache Tomcat that could lead to a Denial of Service (DoS) due to incorrect error handling for invalid HTTP priority headers, causing a memory leak and potentially triggering an OutOfMemoryException and system crashes.

This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. 

RECOMMENDATIONS    

Ensure all systems are patched and updated.

TheWizards APT Group Spoofs SLAAC Responses to Intercept Data

Researchers have identified an Advanced Persistent Threat (APT) group, dubbed TheWizards, employing adversary-in-the-middle (AitM) attacks that exploit the Stateless Address Autoconfiguration (SLAAC) mechanism in IPv6 networks. By spoofing SLAAC responses, TheWizards can redirect network traffic through attacker-controlled systems, enabling the interception and potential manipulation of sensitive data. This technique poses significant risks to organizations using IPv6, particularly those lacking strong network segmentation and monitoring.

RECOMMENDATIONS    

Apply the principle of least privilege to minimize access to sensitive systems and data.

Enforce Multi-Factor Authentication (MFA) for all accounts, especially administrative ones.

Regularly patch and update internet-facing systems to mitigate vulnerability exploits.

Conduct awareness programs to educate users about phishing attacks and social engineering tactics.

Monitor network activity for abnormal behaviors and Indicators of Compromise (IOCs).

Ensure that IOCs are implemented promptly to enhance security posture and mitigate potential threats.

Threat Actors Exploit Middle Eastern Infrastructure Using Stolen VPNs and Custom Malware

FortiGuard researchers investigated a persistent, state-sponsored cyberespionage campaign targeting critical infrastructure in the Middle East. The campaign is attributed with high confidence to a threat group operating from Western Asia, with TTP overlaps linked to Lemon Sandstorm.

Attackers initially accessed networks using stolen VPN credentials and deployed multiple layers of malware—HanifNet, HXLibrary, NeoExpressRAT, and RemoteInjector—to establish long-term persistence, evade detection, and enable lateral movement.

They leveraged chained open-source proxies (e.g., Ngrok, Plink, ReverseSocks5) to bypass network segmentation and targeted both virtualization platforms and Operation Technology (OT) environments, likely to maintain prepositioning for future geopolitical leverage. Additionally, the group exploited a previously undocumented vulnerability in ZKTeco ZKBioTime software and conducted phishing campaigns for credential theft following containment efforts.

RECOMMENDATIONS    

Enforce MFA for all VPN and privileged account access.

Conduct regular credential rotation and enforce strong password policies.

Review and harden segmentation between (Information Technology) IT and OT environments.

Deploy behavioral-based EDR (Endpoint Detection and Response) with detection rules for proxy chaining and lateral movement.

Audit scheduled tasks and IIS modules for anomalies.

Monitor for unauthorized use of tools like Ngrok, plink, and ReverseSocks5.

Apply allowlisting to limit execution of unsigned executables and loaders.

Perform regular patching of public-facing systems and software, especially ZKTeco systems.

Test incident response plans for state-sponsored threats and simulate VPN credential compromise scenarios.

Implement continuous monitoring of virtualization platforms and OT network activity.

Keymous+ Hacktivist Group Targets UAE with DDoS and Hacking Campaign

Earlier this week, the hacktivist group Keymous+, along with several affiliated actors, claimed responsibility for a distributed denial-of-service (DDoS) and hacking campaign targeting entities in the UAE. The attackers reportedly exploited misconfigured servers that publicly exposed credentials to gain unauthorized access.

The campaign, dubbed HackForHumanity, was announced by the attackers as part of a broader hacktivist operation.

RECOMMENDATIONS    