Top Cyber Threats in H2 2022

Adversaries continue to target nations in the Middle East region and Help AG has seen an increase in certain threats in the second half of 2022, specifically in UAE and KSA. Some of the threats we will look at have been dormant for months and have resurfaced, and some are new adversary groups gaining pace rapidly.

Destructive Emotet Malware Returns to Business

Emotet is destructive and pervasive malware that starts through phishing campaigns containing malicious Macro-enabled Word or Excel documents.

Once opened, the Emotet DLL downloads and then loads itself into memory. It will also search and fetch email addresses to target additional users and download multiple payloads that include ransomware such as Cobalt Strike.

The malware has seen many upgrades throughout the years and continues to evolve in 2022 and some of the attributes of the new variant are listed below:

• Drops additional payloads (banking trojans, mining tools)
• The malware now comes with binary changes and uses 64-bit code to evade detection
• Attempts to steal saved web browser credentials

The new attack vector the loader presents through dropping of new payloads, enhanced architecture and ability to steak browser data makes it very pervasive and difficult to be detected by common controls. The attack mostly enters organizations through phishing emails, it is paramount to educate and increase the level of awareness among employees and executives through regular awareness sessions and campaigns.

Emotet’s thirst to download multiple payloads makes detection using Suricata/YARA rules very effective. The rules can be built to detect the different payloads and their attributes, patterns and characteristics.

Justice Blade Group Attacks on Saudi Arabia

An attacker group named “Justice Blade” surfaced recently targeting large enterprises in Saudi Arabia from both government and private sectors. The group infiltrated key enterprises and organizations such as FlyNas airlines and SAMACares. The attack vector came through an IT outsourcing company (Smart Link BPO Solutions) which is linked to many high-profile enterprises in Saudi. Leaked private communications between group members also indicate network intrusions affecting Active Directory and internal
applications and services of these organizations.

While the full impact remains undisclosed, the group claimed they stole sensitive data including CRM records, personal information, credentials and other information. The group then released about 100,000 records on the dark web containing screenshots of active RDP sessions and list of users. There is also a high risk of supply chain attacks to other organizations due to overlap of the IT company involved.

While we see these attacks spinning up more frequently in recent months, we also see an influx of organizations seeking early detection and inquiring/exploring about managed security services that can alleviate the problem from their shoulders. The sophistication and complexity of threat actors and their tools can only be detected and mitigated by having a robust cybersecurity program implemented right within an organization. This needs to include 24×7 monitoring at a minimum to have a level of assurance of any possible attacks or incidents.