Top Middle East Cyber Threats – 12 Oct 2020
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
Spike in Ransomware Attacks
In recent times, ransomware incidents have become increasingly popular among federal, local, tribal, and territorial government entities and critical infrastructure organizations. Ransomware attacks can significantly affect business processes and leave companies without the data they need to operate and provide mission critical services. Over time, malicious actors have changed their ransomware strategies which included persuading victims or threatening to release compromised data if they fail to pay with publicly naming and shaming victims as secondary forms of extortion.
Three different ransomware variants have been cited by Help AG over the past weeks, primarily targeting the Middle East Insurance, Oil & Gas and Construction industries, with the following ransomware variants:
- Mespinoza: This ransomware was first spotted making victims last year, in October 2019. Victims reported having encrypted data with the .locked extension added at the end of each ransomed file, according to reports at the time. Two months later, in December 2019, a new Mespinoza version was spotted. This one used the extension .pysa after the file, which explains the second name “Pysa” by which this ransomware is often mentioned. Mespinoza Ransomware family first surfaced via Malspam.
- Ryuk: This is operated by a sophisticated eCrime group known as Wizard Spider that has been targeting large organizations for a high-ransom return since August 2018. This actor is a criminal group based in Russia known for the operation of the TrickBot banking malware that in the past had mainly concentrated on wire fraud. Comparison of code between versions of Ryuk and Hermes ransomware suggests that Ryuk originated from the source code of Hermes and has been continuously evolving since its release.
The following vulnerabilities have been exploited by Ryuk ransomware for infection in the past:
- Adobe Acrobat and Reader Arbitrary Code Execution Vulnerability (CVE-2018-12808).
- Zyxel EMG2926 home router OS Command Injection Vulnerability (CVE-2017-6884).
- Network Weathermap HTML Injection Vulnerability (CVE-2013-2618).
- MikroTik routers Remote Code Execution vulnerabilities CVE-2018-1156 and CVE-2018-14847.
- RobbinHood: This ransomware was introduced in 2019 when it infected city networks in Baltimore and Greenville. CVE-2018-19320 research indicates that RobbinHood ransomware takes advantage of a weak driver mounted on the user’s computer. Recent findings indicate that it is not distributed by spam, but rather by other methods that may include compromised remote desktop services or other trojans that provide access to attackers. With the GreenFlash Sundown exploit kit, RobbinHood ransomware was observed targeting users in South Korea previously.
Malicious actors specialize in lateral movement to target sensitive data and spread ransomware across networks. Tactics such as removing device backups are being increasingly used by these actors, rendering restoration and recovery more difficult or unworkable for affected organizations. Throughout the initial disruption and, at times, prolonged recovery, the economic and reputational impacts of ransomware attacks have often posed concerns for both large – and small – scale organizations.
- Maintain offline, encrypted data backups and test your backups periodically. Therefore, some ransomware variants aim to locate and erase any available backups, so it is important to keep backups offline.
- Create, manage, and incorporate a basic cyber incident response plan and related communications plan that includes response and warning protocols for a ransomware incident.
- Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plugins, and document readers. Please refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
- Ensure that the systems are correctly configured and that the security features are enabled. Disable ports and protocols that are not used for business purposes (e.g., Remote Desktop Protocol [RDP] – Transmission Control Protocol [TCP] Port 3389).
- Disable or block outbound server message block (SMB) protocol and delete or disable old, outdated versions of SMB.
- Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
- Use MFA (multi factor authentication) for all services, especially webmail, virtual private networks, and accounts that access critical systems, to the extent possible.
- Ensure if secure configuration of vulnerable products is in accordance with the best implementation practices.
- Apply the Principle of Least Privilege, wherever applicable, to all systems and services.
- Establish comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.
- Further secure privileged user accounts against pass-the-hash attacks by using the Protected Users Active Directory group in Windows domains.
- Follow a multi-layered security approach. Provide multiple detection and defense points for inbound and outbound threats to minimize the possibility of exploitation.
- Update VPNs, network infrastructure systems, and devices with the latest software fixes and security configurations that are used to remotely access work environments.
New Point-Of-Sale (POS) Malware
Visa Payment Fraud Disruption (PFD) recovered malware samples from two independent merchants in North America earlier this year in May 2020. In an attempt to collect and exfiltrate payment card information, it was evident from this incident that criminals targeted the point-of-sale (POS) terminals of the merchants. The first attack was traced to the malware variant TinyPOS after analysis, and the second to a combination of POS malware families like RtPOS, MMon (aka Kaptoxa), and PwnPOS. The attacks in concern highlight the continued interest of the threat actors in targeting merchant POS systems to collect payment account data from the card.
Authorized user accounts, including the adminis
trator account, were compromised as part of the phishing attack in the first attack type traced to the TinyPOS malware variant and used by the threat actors to log in to the merchant’s environment. Reports highlight that, in the first instance, actors used authorized administrative tools to access the cardholder data environment (CDE) within the network. The actors deployed a memory scraper to harvest track 1 and track 2 payment account information upon entry to CDE, and later used a batch script to mass deploy the malware across the network of the merchant to target different locations and their respective POS environments. No network or exfiltration functions were present within the sample at the time of analysis. Therefore, using other methods, the actors would possibly delete the output log file from the network.
The threat actors once again threatened a North American hospitality merchant with POS malware in the second compromise. From this subsequent study, it was evident that malware variants such as RtPOS, MMon (aka Kaptoxa), and PwnPOS were used by the actors. Researchers in the report pointed “While less is known about the tactics used by the threat actors in this attack, there is evidence to suggest that the actors employed various remote access tools and credential dumpers to gain initial access, move laterally, and deploy the malware in the POS environment”
There was no recovery of the malware used in these phases of the compromise.
- Secure remote access with strong passwords, ensure remote access authorization for only the required people, disable remote access while not in use, and use multi-factor authentication for remote sessions.
- Enable EMV (Europay, Mastercard, and Visa) solutions for protected in-person payments.
- Implement Role-based Access Control (RBAC) to ensure that only permissions that are essential to job roles are imposed on user accounts.
- Switch on anti-malware heuristics (behavioral analysis) to check for suspicious or unusual behavior and upgrade anti-malware applications.
- Enforce Network Segmentation, wherever necessary, to prevent the spread of malicious software and limit an attacker’s foothold.
- Deploy missing security patches and institutionalize security patching as part of a periodic process to limit the attack surface of zero-day vulnerabilities.
- Block indicators of compromise within respective security controls organization wide.
ZeroLogon Flaw Exploited by MuddyWater – Update
Microsoft issued a security advisory on 11 August 2020, covering a flaw in the Netlogon Remote Protocol (CVE-2020-1472). This vulnerability (CVSS3 score of 9 out of 10) is considered critical and affects the multiple versions of Microsoft Windows Server where the Active Directory Domain Services (ADDS) role is installed and the server acts as a domain controller. A malicious actor having access to the TCP ports opened by the Netlogon service can easily exploit this vulnerability.
ZeroLogon vulnerability tracked as CVE-2020-1472 allows Privilege Escalation attack against Microsoft Active Directory domain controllers, making it possible for an attacker to impersonate any computer, including the root domain controller. The fidelity of the risk increased when four different proof of concepts were released and reported publicly. Microsoft recently warned about numerous malicious activities by MERCURY leveraging the Zerologon vulnerability in active campaigns over the past two weeks.
MERCURY (also known as MuddyWater, SeedWorm, and TEMP.Zagros) is an Iranian threat group that emerged in 2017, primarily targeting Middle Eastern nations, including the United Arab Emirates.
- Ensure all your servers are patched and up to date. For further details about ZeroLogon mitigation steps, please find the official notes release by Microsoft:
- Domain controllers, as key systems, should under no circumstances be directly accessible from the Internet.
- Help AG Threat Intelligence Team