Top Middle East Cyber Threats – 7 April 2020

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
Zoom Video Conferencing – Security and Privacy issues
Zoom meetings are happening across the globe as a large number of people are currently working from home due to the Coronavirus outbreak. However, its overnight popularity has also brought it into the limelight for security researchers who’ve started finding its alleged underlying vulnerabilities. The Zoom application is said to have too many security loopholes.
A chronological highlight of mainstream reporting involved:

• ISSUE: Zoom installer bundled with malware / STATUS: Open
• ISSUE:Misleading Zoom encryption / STATUS: Unresolved 
• ISSUE: Zoom cryptographic keys issued by Chinese servers / STATUS: Fixed
• ISSUE:Security flaw with Zoom meeting waiting rooms/STATUS: Unknown
• ISSUE:Zoom software can be easily corrupted/STATUS: Unresolved
• ISSUE:Zoom bombing/STATUS: Unresolved
• ISSUE: Leaks of email addresses and profile photos/STATUS: Unknown
• ISSUE:Sharing of personal data /STATUS: Unknown
• ISSUE: ‘War Dialing’ to find open Zoom meetings/STATUS: Unknown
• ISSUE: Zoom meeting chats don’t remain private /STATUS: Unknown
• ISSUE: Windows password stealing/STATUS: Fixed
• ISSUE: Windows malware injection/STATUS: If the UNC file-path issue is fixed, then this issue does not persist.
• ISSUE: iOS profile sharing/STATUS: Fixed
• ISSUE: Malware-like behavior on macOS/STATUS: Fixed
• ISSUE: A backdoor for MAC malware/STATUS: Fixed 

Security researchers and protection advocates have raised the alert on default settings that have permitted the “Zoombombing” phenomenon to occur, where scampers join Zoom calls and communicate illicitly. Zoom will currently go through the following three months, fixing every single issue to avoid becoming a victim of its own success. Surprisingly, this is not the first time Zoom has been accused to invading user privacy. In 2019 a webcam hacking scandal involving Zoom was exposed. At that time, it was a Zoom vulnerability that left the host open to malicious attacks. This flaw allowed webcams to be activated via ghost Zoom calls.
Recommendations

• Make sure you have downloaded or updated the latest version of Zoom application. This ensures that you have access to updated versions of privacy and security settings.
• Create a password for all scheduled meetings and share it only with individuals that are a part of the meeting.
• Do not post any invitation links publicly. This is an easy way to get Zoom Bombed. Instead send it directly to individuals by an email or other messaging medium.
• Don’t allow participants to join before the host. This can be done by going to settings toggling off “join before host” option.
• Set screen sharing to host only. This way, only the host has control over what is shared with the group.
• We recommend using technologies that enforces organization-wide two factor authentication and single sign-on through active directory and enables encryption of data in transit and at rest.

Kwampirs Malware Resurfaces
FBI has recently come up with a report citing that hackers are attempting to infect organizations with Kwampirs Malware. This hacking campaign is primarily targeting supply chain software providers. The goal of the hackers is to gain access to victims’ customers, strategic partners including entities supporting distribution and transmission thereby enabling the network exploitation. The same malware was also used in attacks against healthcare, energy and financial sector across US, Europe, Asia and the Middle East. A thorough code analysis of the malware by researchers revealed that Kwampirs contains similarities with Shamoon- a data wiping malware developed by APT33 which happens to be an Iranian hacking group.
The campaign deployed a two phased approach. During the first phase, a broad persistence presence is established on the target network which includes execution of the secondary malware payloads. The second phase includes delivery of Kwampirs components in order to further exploit the target host. The following assets of network were targeted.

• Primary and Secondary Domain Controllers
• Servers used to develop ICS products and instruments
• Software development servers which maintain source code for applications

Recommendations:

• Regularly update applications and host operating systems to ensure protection against known vulnerabilities.
• Adapt strict user input validation to restrict local and remote vulnerabilities.
• Ensure secure configuration of web servers. Ports and Services need to be restricted.
• Web Application Firewall should be deployed and updated to conduct virus checks and code analysis.
• Using a reverse proxy is advisable to restrict the accessible URL paths to known legitimate ones.

References

• https://isc.sans.edu/diaryimages/Kwampirs_PIN_20200330-001.pdf
• https://www.tomsguide.com/news/zoom-security-privacy-woes