Top Middle East Cyber Threats – 07 February 2023

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.  

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:  

VMware Addresses Vulnerabilities in vRealize Log Insight and VMware Cloud Foundation 

VMware has published  an advisory to address four vulnerabilities in VMware vRealize Log Insight version 8.x and VMware Cloud Foundation versions 4.x, and 3.x. Out of the four vulnerabilities reported, two are classified as ‘Critical’, one as ‘Important’ and the other as ‘Moderate’ in severity level. 

The most severe vulnerabilities reported are CVE-2022-31703 and CVE-2022-31704. 

CVE-2022-31703 is a VMware vRealize Log Insight’ Directory Traversal Vulnerability’ with a CVSSv3 score of 9.8. CVE-2022-31704 also has 9.8 CVSSv3 score and described as VMware vRealize Log Insight ‘Broken Access Control Vulnerability’. Through these vulnerabilities, an unauthenticated, malicious actor can inject files into the operating system of an impacted appliance, which can result in remote code execution. 

RECOMMENDATIONS 

•  Ensure all systems are patched and updated. 

F5 Fixes BIG-IP iControl SOAP Vulnerability  

A format string vulnerability exists in F5 Big IP iControl SOAP, CVE-2023-22374, that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code.  
In appliance mode of BIG-IP, a successful exploit of this vulnerability can allow the attacker to cross a security boundary. This vulnerability may allow an authenticated attacker with network access to iControl SOAP through the BIG-IP management port and/or self IP addresses to cause a denial-of-service (DoS) or potentially execute arbitrary system commands.  

F5 has fixed this issue in an engineering hotfix that is available for supported versions of the BIG-IP system. Customers affected by this issue can download the engineering hotfix for the latest supported versions of BIG-IP from the F5 Downloads site. 

RECOMMENDATIONS 

•  Ensure all systems are patched and updated. 

Google Chrome Update Fixes Multiple Vulnerabilities 

Google has published  security update to address multiple vulnerabilities in Chrome browser that are now fixed in Chrome latest version (109.0.5414.119 for Mac and Linux and 109.0.5414.119/.120 for Windows). 

The update includes 6 security fixes, 4 of which were contributed by external researchers. The most severe vulnerabilities reported were CVE-2023-0471 and CVE-2023-0472 with ‘High’ risk level and described as a ‘use-after-free’ in WebTransport and WebRTC. 

RECOMMENDATIONS 

•  Ensure all systems are patched and updated.  

New APT34 Malware Targets the Middle East 

A new malware has been identified in a recent campaign targeting countries in the Middle East, with the final goal to steal users’ credentials and exfiltrate data by abuse of compromised mailbox accounts. 

APT34 has been documented to target organizations worldwide, particularly companies from the financial, government, energy, chemical, and telecommunications industries in the Middle East since 2014.  

RECOMMENDATIONS  

• Ensure all systems are patched and updated.  
• Avoid clicking or opening untrusted or unknown links, files, or attachments.  
• Don’t allow Macros for unknown MS Office files. 
• Enable software restriction policies and application whitelisting.  
• Ensure that email server is configured to block any suspicious attached files.  
• Enforce the Restricted PowerShell script execution policy for end users.  
• Monitor your network for abnormal behaviour and shared IoCs.  
• Ensure frequent backups are in place.  
• Educate employees about detecting and reporting phishing / suspicious emails 

New DDoS Botnet Campaign Targets Multiple Countries 

A new rapidly spreading DDoS botnet has been discovered targeting multiple countries. The botnet named as Fodcha, is mainly spreading through the following NDay vulnerabilities and Telnet/SSH weak passwords. 

RECOMMENDATIONS  

• Ensure all systems are patched and updated.  
• Avoid clicking or opening untrusted or unknown links, files, or attachments.  
• Don’t allow Macros for unknown MSOffice files.  
• Enable software restriction policies and application whitelisting.  
• Ensure that email server is configured to block any suspicious attached files.  
• Enforce the Restricted PowerShell script execution policy for end users.  
• Monitor your network for abnormal behaviour and shared IoCs.  
• Ensure frequent backups are in place.  
• Educate employees about detecting and reporting phishing / suspicious emails. 

REFERENCES: 

• https://www.vmware.com/security/advisories/VMSA-2023-0001.html 
• https://my.f5.com/manage/s/article/K000130415 
• https://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop_24.html 
• https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html 
• https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/