Threat advisories

Top Middle East Cyber Threats – July 09, 2024  

5 min to read
Top Middle East Cyber Threats – July 09, 2024  

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats. 

In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead. 

Campaign Exploits CVE-2024-21412 to Bypass Microsoft Defender SmartScreen 

A recent campaign has been revealed to be exploiting the vulnerability CVE-2024-21412 to bypass Microsoft Defender SmartScreen and deploy payloads on victims’ systems. 

The initial infection starts with a spam email that appears to come from a trusted source. The email is crafted to entice the recipient into clicking a link, which tricks the user into viewing an internet shortcut file hosted on a remote WebDAV share. When the user double-clicks the internet shortcut file, it exploits CVE-2024-21412 and executes another LNK file hosted on the same WebDAV share, initiating the infection process. 

This attack uses a multifaceted approach, employing various script files, such as PowerShell and JavaScript, to deliver the final payload. This multi-stage process ultimately results in the deployment of malicious payloads like Lumma and Meduza Stealer, both of which aim to collect sensitive information from the victim’s machine. 

RECOMMENDATIONS 

  • Ensure all systems are patched and updated. 
  • Avoid clicking or opening untrusted or unknown links, files, or attachments. 
  • Don’t allow Macros for unknown MS Office files. 
  • Enable software restriction policies and application whitelisting. 
  • Ensure that your email server is configured to block any suspicious files. 
  • Enforce the Restricted PowerShell script execution policy for end users. 
  • Monitor your network for abnormal behaviors and IoCs. 
  • Ensure frequent backups are in place. 
  • Educate employees about detecting and reporting phishing / suspicious emails. 

Cisco Patches NX-OS Zero-Day Exploited in April Attacks 

Cisco has patched an NX-OS zero-day exploited in April attacks to install previously unknown malware as root on vulnerable switches. 

The list of impacted devices includes multiple switches running vulnerable NX-OS software: 

  • MDS 9000 Series Multilayer Switches 
  • Nexus 3000 Series Switches 
  • Nexus 5500 Platform Switches 
  • Nexus 5600 Platform Switches 
  • Nexus 6000 Series Switches 
  • Nexus 7000 Series Switches 
  • Nexus 9000 Series Switches in standalone NX-OS mode 

Researchers detected this exploitation during a larger forensic investigation into the nexus cyberespionage group tracked as Velvet Ant. 

The threat actors gathered administrator-level credentials to gain access to Cisco Nexus switches and deploy previously unknown custom malware that allowed them to remotely connect to compromised devices, upload additional files, and execute malicious code. 

Cisco has reported that the vulnerability (tracked as CVE-2024-20399) allows local attackers with administrator privileges to execute arbitrary commands with root permissions on the underlying operating systems of vulnerable devices. 

This vulnerability is due to insufficient validation of arguments passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command. 

A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges. 

RECOMMENDATIONS 

  • Ensure all systems are patched and updated. 

Splunk Update Fixes Multiple Vulnerabilities 

Splunk has published a security update to address 15 CVEs in Splunk Enterprise versions 9.0, 9.1, and 9.2. Out of the total number of 15 CVEs patched today, 5 were classified as high severity and 10 as medium severity. 

Most of the vulnerabilities fixed today are authentication-based and fall under multiple categories, including Denial of Service, Path Traversal, Command Injection, Remote Code Execution (RCE), Cross-Site Scripting (XSS), and information disclosure. 

Splunk released fixes for all impacted versions, and it is highly recommended to upgrade vulnerable systems to the fixed version. 

RECOMMENDATIONS 

  • Ensure all systems are patched and updated. 

OpenSSH Vulnerability Grants Root Privileges on Linux Systems 

A new OpenSSH unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2024-6387 and dubbed “regreSSHion,” grants root privileges on glibc-based Linux systems. Notably, this vulnerability reintroduces a previously patched issue tracked as CVE-2006-5051. 

OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol. It is extensively used for secure remote login, remote server management and administration, as well as file transfers via SCP and SFTP. 

The flaw, discovered by researchers at Qualys in May 2024 and assigned the identifier CVE-2024-6387, is due to a signal handler race condition in sshd that allows unauthenticated remote attackers to execute arbitrary code as root. 

The regreSSHion flaw impacts OpenSSH servers on Linux from version 8.5p1 up to, but not including, 9.8p1. Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable to CVE-2024-6387. Versions older than 4.4p1 are vulnerable to regreSSHion unless they are patched for CVE-2006-5051 and CVE-2008-4109. 

RECOMMENDATIONS 

  • Apply the latest available update for the OpenSSH server (version 9.8p1), which fixes the vulnerability. 
  • Limit SSH access using network-based controls to minimize attack risks. 
  • Segment your networks to restrict unauthorized access and lateral movement within critical environments. 
  • If immediate updating of the OpenSSH server is not possible, consider setting the ‘LoginGraceTime’ to 0 in the sshd configuration file. Note, however, that this can expose the server to denial-of-service attacks. 

VMware Publishes Security Update for Information Exposure Vulnerability  

VMware has published a security update to address a moderate-level information exposure vulnerability in VMware Workspace ONE UEM. 

A malicious actor with network access to Workspace ONE UEM may be able to perform an attack resulting in information exposure. 

VMware published fixes to remediate CVE-2024-22260 for the below versions: 

Product  Version  CVE Identifier  Severity  Fixed Version 
VMware Workspace One UEM  23.10.x  CVE-2024-22260  Moderate 

 

23.10.0.13 
VMware Workspace One UEM  23.6.x  CVE-2024-22260  Moderate 

 

23.6.0.30 
VMware Workspace ONE UEM  23.2.x  CVE-2024-22260  Moderate 

 

23.2.0.46 
VMware Workspace One UEM  22.12.x  CVE-2024-22260  Moderate 

 

22.12.0.47 

 

RECOMMENDATIONS 

  • Ensure all systems are patched and updated. 

References 

https://cyble.com/blog/increase-in-the-exploitation-of-microsoft-smartscreen-vulnerability-cve-2024-21412/ 

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cmd-injection-xD9OhyOP?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20NX-OS%20Software%20CLI%20Command%20Injection%20Vulnerability&vs_k=1 

https://advisory.splunk.com/advisories 

https://www.qualys.com/regresshion-cve-2024-6387/ 

https://www.vmware.com/security/advisories/OMSA-2024-0001.html 

Share this article

title
Upcoming event

Help AG & Zscaler – Perimeter Re- Imagined with Zero Trust and AI

Help AG and Zscaler's exclusive event – Perimeter ...

  • Dubai