Highlights From Security Analysis – Message From The Head Of Security Analysis

Hanna Mathai

By Mukhammad Khalilov, Head of Security Analysis

4 min to read
Highlights From Security Analysis – Message From The Head Of Security Analysis
Help AG’s Cybersecurity Analysis team has over 120 zero-day findings to its credit, placing it amongst the leading forces in UAE for cybersecurity research. The team has been conducting security assessments on various network infrastructures and has observed many attack vectors being deployed by black hat hackers. But some of the major weaknesses we see in organizations are mainly centered around the human factor, misconfiguration of default credentials, and missing patches. To make cybersecurity even more challenging, there are currently trends of Ransomware as a Service (RaaS).RaaS is a subscription-based approach that allows attackers to use already developed ransomware to execute attacks against their targets, which is increasing the scale of the attack. One of the players of the RaaS model delivery is DarkSide which provides professional operation and support to its users. Simple mistakes and the misjudgment of security has led many organizations to see huge losses to their financial assets, whether it is the result of a ransomware demand or service downtime. We have all witnessed what can happen when essential commodities are not available. In one instance, the fuel shortages that resulted from the ransomware attack that hit Colonial Pipeline caused havoc in the US. Another example is when REvil ransomware attackers managed to cause a huge ransomware spread across the web demanding around USD 70M. These incidents are an indication that cyberthreats are increasing and it is not cheap to deal with them. The combination of ransomware and availability is an issue in cyber connected networks that will cause a huge difference in our day-to-day operations as we are all becoming more interconnected.
Organizations will continue to be attacked by targeted campaigns or large-scale attacks, but to defend against those attacks and ever-evolving threats, it is highly recommended to follow these precautionary steps:
  1. Perform regular patch management and updates
  2. Keep track of IT assets
  3. Perform regular cyber hygiene trainings against phishing attacks
  4. Conduct quarterly penetration testing on both internal and external networks
  5. If an organization or entity is operating in the financial sector, it should include Red Teaming at the top of their infrastructure penetration testings
  6. Change default passwords to more complex passwords
  7. Enable Multi Factor Authentication (MFA) for your organization users, even for personal login pages
  8. Don’t use company laptop for personal purposes

Our final advice is to never underestimate an attack, vulnerability or exposure of information as it can be a doorway for attackers to significantly ham your organization.

Most exploited vulnerabilities
CVE-2021-34527 – Print Nightware Vulnerability

Q2 of 2021 saw another devastating attack against Microsoft services which are actively used by end users and severs. This vulnerability affected the Pint Spooler service which allowed the attackers to un commands and preform remote code execution with system privileges. This one vulnerability alone could bring down the operation of IT or cause huge changes on the network.


It is highly recommended to install the updates released by Microsoft as well as preform the tweaks on the critical severs or workstations.

Registry settings to be set to 0 or not defined:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Pinters\PointAndPint
  • NoWaningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
  • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
Option 1 – Disable the Pint Spooler service
  • Stop-Sevice -Name Spooler -Force
  • Set-Sevice -Name Spooler -StatupType Disabled
Option 2 – Disable inbound remote printing through group policy

In the group policy:

  • Computer Configuration / Administrative Templates / Printers
  • Disable the “Allow Pint Spooler to accept client connections:” policy to block remote attacks.
  • For more information, visit this link.
CVE-2021-26855-8 and 2021-27065 – MS Exchange Remote Code Execution

Another set of vulnerabilities was around one of the most critical services, MS Exchange Severs, which allow the remote attacker to perform code execution via a combination of multiple attacks on the severs. This also enables the attacker to create a backdoor or implant ransomware on the target affected systems.


It is important to install the Microsoft release patch on the severs and follow guidelines set by Microsoft.

CVE-2021-21972 – vSphere Remote Code Execution

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Sever plugin. A malicious actor with network access to pot 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Sever.


It is important to install the patch and updates from the vendor.

CVE – 2021-1366 – AnyConnect Code Execution

This was a vulnerability on a Cisco AnyConnect protect. The vulnerability is executed by crafting IPC message to AnyConnect Process. To execute this attack, the valid credentials must be obtained by an attacker.


Currently there is no workaround, but an advisory and a patch are available.

CVE-2021-33739 – MS DWM Core Library LPE

Here we are shifting away from Remote Code Executions to Local Privilege Escalation for a change. There has been a new working attack against MS DWM Core Library which would allow the attacker to execute commands with higher privileges. To perform this attack, the attacker must have a low level privileged access to the system.

Share this article

Upcoming event

Black Hat MEA 2024

  • KSA
  • Riyadh