Top Middle East Cyber Threat- 3 September 2019

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cyber security threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top cyber security threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
1) New Lyceum APT targeting oil and gas in Middle East and telecoms across Africa & Asia
The Middle East cyber-espionage landscape has become a little bit more crowded this month with the discovery of a new hacking group that’s been targeting the region since mid-2018. Tracked by cyber-security firms under names such as Lyceum and Hexane, this new Group has primarily focused on the local energy sector.
In a report published earlier this month, ICS security firm Dragos said that Lyceum/Hexane had repeatedly targeted oil and gas companies in the Middle East, with “Kuwait as a primary operating region.”
But while the bulk of attacks were aimed at companies in the energy sector, the Group also targeted telecommunication providers in the greater Middle East, Central Asia, and Africa region.
Attack Description:
Lyceum attackers utilize techniques such as password spraying and brute-force attacks to breach individual email accounts at target organizations. Once successful, they then use the compromised email accounts to send spear-phishing emails to the victims’ colleagues. These emails deliver malicious Excel files that attempt to infect other users in the same organization with malware.
The primary targets of these second-stage spear-phishing campaigns are executives, HR staff, and IT personnel. The Excel files contains a payload named DanDrop – a VBA macro script that infects the victim with DanBot, a C# remote access trojan (RAT).
Lyceum hackers then use the DanBot RAT to download and run additional malware on the victims’ systems, most of which are PowerShell scripts with password-dumping, lateral movement, or key-logging functionality.
Lyceum uses a combination of password spraying, custom malware, DNS tunneling, spear phishing thematic and scripts taken from red teaming frameworks. Until cyber-security firms gather more evidence to link Lyceum to a specific country, the Group’s focus is expected to remain on the energy sector, the bread and butter of most cyber-espionage groups targeting the Middle East.
Remediation and recommendations:
Lyceum is an emerging threat to energy organizations in the Middle East, but organizations should not assume that future targeting will be limited to this sector. Critical infrastructure organizations in particular should take note of the threat Group’s activities. Aside from deploying novel malware, Lyceum’s activity demonstrates capabilities researchers have observed from other threat groups and reinforces the value of a few key controls. Password spraying, DNS tunneling, social engineering, and abuse of security testing frameworks are common tactics, particularly from threat groups operating in the Middle East. While there are many security controls that could mitigate aspects of a Lyceum intrusion, researchers recommend the following to provide broad protection and detection capabilities that apply to a spectrum of threats:

• Implement multi-factor authentication (MFA): Every corporate remote access service available on the Internet, including cloud applications such as Office 365/Outlook, external virtual private networks (VPNs), and single sign-on (SSO) pages, should require users to provide a one-time password in addition to their regular password. However, simply sending auto-enrollment emails can allow threat actors to enroll themselves using compromised accounts and continue their operations unhindered.
• Increase visibility via endpoint detection, response, and logging: Incident response efforts are often hampered by a lack of visibility in the environment. This may be due to the absence of logs that allow network defenders to forensically piece together what happened, or due to insufficient tools to monitor for ongoing threat actor activity. Endpoint monitoring tools are essential for detecting suspicious activity in the environment after other controls have been evaded.
• Conduct preparedness exercises: Technology solutions cannot address all cybersecurity risks. Employees are both vulnerabilities and assets. Fostering a culture that focuses on security awareness and makes it easy for staff to work efficiently in a crisis reduces the overall frequency, impact, and cost of security incidents.
  • Incident response: Table-top exercises can benefit organizations at different stages. Involving stakeholders from legal, public relations, and other groups across the organization provides insight into what data is and is not important and why. This training will enable staff to contact the correct people inside and outside the organization when an incident occurs.
  • Phishing awareness: Continuously reinforcing phishing awareness training and giving users an easy way to report suspicious messages helps to detect phishing campaigns early. Organizations should have processes for swift response and containment if a user executes a malicious payload.

2) Pulse Secure: Arbitrary File Disclosure Vulnerability
Multiple vulnerabilities have been discovered and resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS). Pulse Secure released a security advisory and patches for multiple critical and high severity vulnerabilities. The issues were identified in Pulse Connect Secure (PCS), previously known as Juniper SSL Virtual Private Network (VPN), a widely used commercial VPN solution. The issues were found by Orange Tsai and Meh Chang from the DEVCORE research team who shared details on the subject in early August in Las Vegas.
Among the most severe issues reported is CVE-2019-11510, an arbitrary file disclosure vulnerability. This flaw could allow an unauthenticated, remote attacker to read the contents of files found on a vulnerable device, including sensitive information such as configuration settings.
Attack Description:
Pre-authentication Flaw:
Though there are multiple steps involved in the attack, an attacker can take advantage of a pre-authentication flaw and achieve command execution by chaining multiple vulnerabilities to compromise a vulnerable device. The vulnerabilities include a pre-authentication file reading (CVSS 10) and a post-authentication (admin) command injection (CVSS 8.0) which can be chained into a pre-auth RCE.
As described in an article by Tenable Security, the following step by step process can be undertaken by the attacker:

• In order to exploit the issue, an attacker can send a malicious HTTP request containing directory traversal sequences along with a crafted Uniform Resource Identifier (URI) and access any file on the device.
• The attacker can access to sensitive device information, and as the researchers describe in their initial report of the issue, this attack could be chained with other vulnerabilities they discovered.

• When a user logs into the admin interface of the VPN, their plain-text password is stored in /data/runtime/mtmp/lmdb/dataa/data.mdb. Using the method described above, the attacker could obtain the file, extract the user’s password, and log into the device. Once logged in, the attacker can take advantage of CVE-2019-11539, a command injection vulnerability in the administrative web interface. Alternatively, with the user’s credentials in hand, the attacker could exploit CVE-2019-11508, a vulnerability in the Network File Share (NFS), which allows an authenticated user to upload a malicious file and write arbitrary files to the host.

What is most concerning about these chained exploits is that Pulse Connect Secure is used to restrict external access to an environment, and by achieving command execution on the device, an attacker could use this access to weaponize the device and use it for malicious purposes such as data exfiltration.
If the attacker is not able to find cached credentials, they can access the file /data/runtime/mtmp/system to gather a list of users and hashed passwords. With enough time, effort, and processing power, an attacker could crack the hashes, giving them the ability to log in with the stolen credentials.
A proof of concept (PoC) was published to the Exploit Database as an exploit module written by Alyssa Herrera and Justin Wagner.
Affected Versions include:

• Pulse ConnectSecure 9.0R1 – 9.0R3.3
• Pulse Connect Secure 8.3R1 – 8.3R7
• Pulse Connect Secure 8.2R1 – 8.2R12
• Pulse Connect Secure 8.1R1 – 8.1R15
• Pulse Policy Secure 9.0R1 – 9.0R3.3
• Pulse Policy Secure 5.4R1 – 5.4R7
• Pulse Policy Secure 5.3R1 – 5.3R12
• Pulse Policy Secure 5.2R1 – 5.2R12
• Pulse Policy Secure 5.1R1 – 5.1R15

Pulse Connect Secure and Pulse Policy Secure version 9.1R1 and above remains unaffected by these disclosures.
Remediation:
Help AG recommends following the advisory by Pulse Secure SA44101-2019-04 with information on each of the CVEs reported.
Patching solutions are listed below:
 

As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.