Top Middle East Cyber Threats – 10 January 2023
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
Microsoft Reveals Tactics Used by Ransomware Families Targeting macOS
Microsoft analyzed four macOS ransomware families (KeRanger, FileCoder, MacRansom, and EvilQuest) to get further details about the TTPs used by these groups. The initial vector of these ransomware families typically relies on user-assisted methods like downloading and running fake or trojanized applications. The attacks then proceed with the threat actors relying on legitimate operating system features and exploiting vulnerabilities to break into the systems and encrypt files of interest.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files or attachments.
- Enable software restriction policies and application whitelisting.
- Ensure that the email server is configured to block any suspicious attached files.
- Monitor your network for abnormal behaviors and indicators of compromise (IoCs).
- Ensure frequent backups are in place.
- Block the IoCs within respective security controls throughout the organization.
- Educate employees about detecting and reporting phishing/suspicious emails.
Researchers Uncover IoCs for Monti, BlackHunt, and Putin Ransomware
Researchers have uncovered details about three new ransomware variants – Monti, BlackHunt, and Putin ransomware, targeting Microsoft Windows platforms.
Monti is designed to encrypt files on Windows and Linux systems. Files encrypted by the Monti ransomware have a “.puuuk” file extension.
BlackHunt ransomware accesses victims’ networks through vulnerable Remote Desktop Protocol (RDP) configurations. Files encrypted by BlackHunt ransomware can be identified with the following filename pattern: [unique ID assigned to each compromised machine].[contact email address].Black. The ransomware also deletes shadow copies, which makes file recovery difficult.
Putin ransomware encrypts files on a victim’s machines and then tries to extort money from the victim to decrypt the files and to not leak the stolen data to the public. Files encrypted by Putin ransomware have a “.PUTIN” file extension. The ransomware drops a ransom note titled “README.txt”, which states that victims have only two days to make a ransom payment, otherwise their encrypted files will not be recovered.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files or attachments.
- Do not enable macros for unknown MS Office files.
- Enable software restriction policies and application whitelisting.
- Ensure that the email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviors and indicators of compromise (IoCs).
- Ensure frequent backups are in place.
- Block the IoCs within respective security controls throughout the organization.
- Educate employees about detecting and reporting phishing/suspicious emails.
References:
