Top Middle East Cyber Threats – 28 Sep 2020

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cyber security threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
New Maze Ransomware
During recent investigations, our threat intelligence team was able to detect a new Maze ransomware attack targeting UAE companies. After successful attack, threat actors also published sample data as evidence. Maze ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the victim’s ID. The ransom note is placed inside a text file and an html file. There are a few different extensions attached to files that are generated randomly.
Like other ransomware, Maze can spread across a corporate network, infect computers it finds, and encrypt data so that it cannot be accessed. What makes Maze different is that it also steals the data it discovers and exfiltrates data to servers operated by malicious hackers who, then, threaten to release it if a ransom is not paid.
As per our analysis this spreads mainly using email spam and various exploit kits.
Recommendations

• Don’t open suspicious emails, click on unknown links or attachments. The easiest approach to check a link is by hovering over it with your mouse.
• Make sure to check the file extensions of the files you downloaded. Document files do not use .EXE or .LNK file format.
• Don’tt open attachments unless you fully trust the source it came from.
• Block indicators of compromise within respective security controls organization wide.

Espionage Campaign by Iranian Threat Actor “Rampant Kitten”
Check Point’s latest analysis report exposes a threat actor suspected of being of Iranian origin. The campaign is said to have been orchestrated with at least two different moving parts, one for Android and the other for Windows. The research highlights leverage of a large array of intrusion tools designed to steal personal information, passwords, telegram messages and two-factor authentication codes from SMS messages in the form of info stealers and backdoors.
The infection chain was first traced, according to Check Point, to a malicious Microsoft Word document (named ‘Regime Fears the Spread of Revolutionary Cannons.docx’), which launches a next-stage payload. Once opened this second stage of payload searches for Telegram on Windows system. Finally, it drops three additional malicious executables to download adjunct modules and exfiltrate relevant Telegram Desktop and KeePass files from the victim’s device. Data exfiltration allows the intruder to hijack the Telegram account of the victim and steal the messages, as well as acquire all files to a server under the attackers’ control.
The report also supports a US Cybersecurity and Infrastructure Protection Agency (CISA) advisory earlier this week, which detailed an Iranian cyber actor’s usage of PowerShell scripts to access encrypted password credentials stored by the KeePass password management program.
Interestingly, the backdoor feature focused on capturing classified information and accessing KeePass and Telegram accounts reveals that the attackers were involved in acquiring data on the victims and learning more about their activities.
Recommendations

• Don’t open suspicious emails, click on unknown links or attachments. The easiest approach to check a link is by hovering over it with your mouse.
• Make sure to check the file extensions of the files you downloaded. Document files do not use .EXE or .LNK file format.
• Don’t open attachments unless you fully trust the source it came from.
• Ensure the secure configuration of vulnerable products in accordance with the best implementation practices.
• Apply the Principle of Least Privilege wherever applicable to all systems and services.
• Establish comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.
• Block indicators of compromise within respective security controls throughout the organization.

New Crypto-Mining Malware “MrbMiner” Targets MSSQL Servers
Researchers have noted a group of hackers launching brute-force attacks on MSSQL servers with the intention of compromising them and installing crypto-mining malware known as MrbMiner. Tencent’s latest report highlights the involvement of a team of hackers compromising Microsoft SQL Servers (MSSQL) to install a crypto-miner over the last few months.
Thousands of MSSQL servers have been attacked with botnets by this elite group of hackers. The name of the malware was aliased to one of the domains used by the group to host the malicious code.
After the hackers obtains access to a system, an initial assm.exe file is downloaded to achieve persistence and add a backdoor account for future access. The account leveraged to conduct the attack is labelled as “Default” with its password as “@fg125kjnhn987.” The malicious code connects to the C2 upon creating the account to download a Monero (XMR) cryptocurrency miner that runs on the local server. Interestingly, researchers have discovered that this new wave of attacks involves a MrbMiner malware variant on a C&C server designed to target Linux servers and ARM-based systems. Security experts had only detected attacks on MSSQL servers, but a Monero wallet containing 3.38 XMR (~$300) was discovered in the review of the Linux version, indicating that the Linux versions were indeed used in the campaign.
Recommendations

• Check MSSQL servers for the presence of the Default/@fg125kjnhn987 account.
• Ensure the secure configuration of vulnerable products in accordance with the best implementation practices.
• Apply the Principle of Least Privilege wherever applicable to all systems and services.
• Establish comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.
• Validate all the communications on port 3331, 3332, 3333, 3334 and 3338.
• Block indicators of compromise within respective security controls organization wide.

Surge in LokiBot Malware Activity
CISA recently highlighted a significant increase in the use of LokiBot malware by malicious cyber actors since July 2020. The report states that persistent malicious LokiBot activity was detected by the Intrusion Detection System network during this time. LokiBot uses malware that steals credentials and information, often sent as a malicious attachment and known to be easy, yet effective, making it an interesting tool for a wide range of cyber actors across a wide range of data compromise use cases.
To steal confidential information such as usernames, passwords, crypto-currency wallets, and other credentials, LokiBot typically deploys a trojan malware. By using a keylogger to track browser and screen operation, the malware steals credentials. Another interesting aspect of LokiBot is that it can also create a backdoor for an attacker to install additional payloads on infected systems. Malicious cyber actors commonly use LokiBot to attack operating systems like Windows and Android. They may also deliver malicious web pages, text and other private messages via e-mail.
Recommendations

• Apply missing security patches immediately and institutionalize security patching as part of a periodic process.
• Disable files and printers sharing services. Use strong passwords or Active Directory authentication if these resources are required.
• Apply the Principle of Least Privilege wherever applicable to all systems and services.
• Establish comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.
• Restrict the right of users to install and run unauthorized software applications (permissions). Do not connect users to the group of local administrators unless necessary.
• Don’t open suspicious emails, click on unknown links or attachments. The easiest approach to check a link is by hovering over it with your mouse.
• Make sure to check the file extensions of the files you downloaded. Document files do not use .EXE or .LNK file format.
• Don’t open attachments unless you fully trust the source it came from.
• Allow a personal firewall, designed to reject unsolicited connection requests, on department workstations.
• Use portable media (for example, USB thumb drives, external drives, and CDs) with caution.
• Block indicators of compromise within respective security controls organization wide.

Multiple Vulnerabilities in Citrix Products – CVE-2020-8245 to CVE-2020-8247
The Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP have recently disclosed multiple vulnerabilities.
An attacker with unauthorized access to the management network will be able to initiate a network-originated denial of service attack. To exploit the privilege escalation vulnerability, the attacker must have the privilege of executing arbitrary commands on the management interface. In order to exploit the code injection flaw, a remote attacker must also entice an authenticated user to open a specially crafted URL.
Depending on the vulnerability exploited, a successful attack on an affected system could result in code injection, denial of service and elevation of privileges.
Recommendations

• Follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
• Isolate network traffic to the appliance’s management interface from regular network traffic, either physically or logically.
• Apply missing security patches immediately and institutionalize security patching as part of a periodic process.
• Ensure the secure configuration of vulnerable products in accordance with the best implementation practices.
• Apply the Principle of Least Privilege wherever applicable to all systems and services.
• Establish comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.

References:

• https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
• https://s.tencent.com/research/report/1105.html
• https://us-cert.cisa.gov/ncas/alerts/aa20-266a
• https://support.citrix.com/article/CTX281474
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8245 (to CVE-2020-8247)