Threat advisories

Top Middle East Cyber Threats – 08 January, 2024

Jan-2024 7 min to read

117

Top Middle East Cyber Threats – 08 January, 2024

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead.

‘Anonymous Sudan’ DDoS Attacks Target More than 340 UAE Domains

The Hacktivist group ‘Anonymous Sudan’ has claimed responsibility for a massive DDoS campaign targeting UAE telecommunication infrastructure which impacted more than 2600 IPs and over 340 domains related to multiple UAE based entities. The adversary published a list of all impacted organizations and domains.

It has been stated by the threat actor that “This is just the beginning; we are currently preparing other destructive attacks”.

Help AG advises implementing DDoS protections solutions for both network and application-level DDoS attacks and following the below recommendations to mitigate possible future DDoS attacks.

RECOMMENDATIONS

Ensure having sufficient bandwidth in your organization and ensure redundancy by spreading traffic using load balancers.
Configure your network hardware against DDoS attacks by filtering unwanted ports and protocols.
Deploy DDoS protection solutions to protect your servers from both network and application layer DDoS attacks.
Have a response plan in place: Having a plan in place for responding to DDoS attacks can help you quickly and effectively respond to the attack and minimize its impact.
Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files, or attachments.
Enable software restriction policies and application whitelisting.
Enforce the Restricted PowerShell script execution policy.
Monitor your network for abnormal behaviors and IoCs.
Ensure frequent backups are in place.

APT33 Targets Defense Industrial Base Sector with FalseFont Backdoor

Microsoft has observed APT33 (Peach Sandstorm) attempting to deliver a newly developed backdoor named FalseFont to individuals working for organizations in the Defense Industrial Base (DIB) sector. FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its C2 servers. It was first observed being used against targets in early November 2023. The development and use of FalseFont is consistent with APT33 (Peach Sandstorm) activity.

The APT33 group has been around since at least 2013, since mid-2016, the group targeted the aviation industry and energy companies with connections to petrochemical production. Most of the targets were in the Middle East, others were in the U.S., South Korea, and Europe.

APT33 is known to utilize password spray on Microsoft 365 accounts and have been utilizing these techniques on thousands on entities since February 2023.
.

RECOMMENDATIONS

Ensure having sufficient bandwidth in your organization and ensure redundancy by spreading traffic using load balancers. Ensure all systems are patched and updated. Avoid clicking or opening untrusted or unknown links, files, or attachments. Enforce MFA on all remote logins. Enable software restriction policies and application whitelisting. Ensure that the email server is configured to block any suspicious attached files. Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and IoCs. Please action by blocking the indicators of compromise within respective security controls organization wide. Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Barracuda Identifies Zero-Day Vulnerability on ESG

Barracuda is currently investigating a threat actor (China nexus actor tracked as UNC4841) who exploited an Arbitrary Code Execution (ACE) vulnerability in a third-party library called Spreadsheet::ParseExcel. The attacker used this vulnerability to deploy a specifically designed Excel email attachment, targeting a small number of ESG devices infecting with SEASPY and SALTWATER malware variants.

Spreadsheet::ParseExcel is an open-source library used by the Amavis virus scanner within the ESG appliance.

The details of assigned 2 CVEs in relation to the attack are as below –

CVE-2023-7102 – Use of a Third-Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection. This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.
CVE-2023-7101 – Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

Barracuda has patched CVE-2023-7102 in relation to Barracuda’s use of Spreadsheet::ParseExcel. In addition, to increase public awareness of the ACE vulnerability in Spreadsheet::ParseExcel, Barracuda has filed CVE-2023-7101 and at the time of this update, there is no known patch or update available to remediate CVE-2023-7101 within the open-source library.
.

RECOMMENDATIONS

Ensure your ESG appliance is receiving and applying updates, definitions, and security patches from Barracuda. Contact Barracuda support (support@barracuda.com) to validate if the appliance is up to date.
Monitor your network for abnormal behaviors and IoCs.
Please action by blocking the indicators of compromise within respective security controls organization wide.
Ensure frequent backups are in place.

OpenSSH Identifies Unexpected Code Execution Vulnerability

OpenSSH has released a security update and fixed a command injection vulnerability caused by malicious shell characters (CVE-2023-51385). SSH ProxyCommand is vulnerable to a code execution flaw that may allow an attacker to perform shell injection on vulnerable servers. Tracked as CVE-2023-51385, the vulnerability has a critical severity rating with a CVSSv3 score of 9.8.

The vulnerability arises when an invalid user or hostname containing shell metacharacters is passed to SSH, and a ProxyCommand, LocalCommand directive, or “match exec” predicate referenced the use or hostname via expansion tokens. An attacker supplying arbitrary user/hostnames to SSH may perform a command injection. Exploitation is possible in an untrusted Git repository containing a submodule with shell metacharacters in a username or hostname.

RECOMMENDATIONS

Ensure all systems are patched and updated.

SonicWall Capture Labs Identifies Critical Zero-Day Vulnerability

SonicWall Capture Labs threat research team has identified an Authentication Bypass vulnerability in Apache OFBiz, tracked as CVE-2023-51467, with a CVSS score of 9.8. Apache OfBiz is an open-source, Java-based Enterprise Resource Planning (ERP) system.

The vulnerability allows attackers to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF).

RECOMMENDATIONS

Ensure all systems are patched and updated.
Update Apache OFBiz to latest version 18.12.11 or a later to minimize any potential security risks.

Google Chrome Update Fixes Four Vulnerabilities

Google has published a security update to address multiple vulnerabilities in Chrome browser that are now fixed in the latest Chrome version (120.0.6099.199 for Mac & Linux and 120.0.6099.199/200 for Windows).

The update includes 6 security fixes. All the contributed fixes are rated as High in risk level.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Android’s January Update Fixes Multiple Vulnerabilities

Android’s January 2024 security update addresses multiple vulnerabilities affecting Android devices as well as Android components including Arm, Imagination Technologies, MediaTek, Unisoc and Qualcomm.

The advisory includes five CVEs categorized as elevation of privileges and other 5 CVEs under sensitive information disclosure category. All the reported 10 CVEs are rated as High in severity level.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Ivanti Security Update Fixes a Critical Vulnerability in EPM

Ivanti has published a security update to address a critical vulnerability in EPM (Ivanti Endpoint Manager) 2022 SU4 and all prior versions. The vulnerability is tracked as CVE-2023-39336 and rated as 9.6 in CVSSv3.

If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication. This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server.

RECOMMENDATIONS