Top Middle East Cyber Threats – 11 April 2023
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
Cl0p Ransomware Group Exploits Vulnerability in GoAnywhere MFT
Several companies have recently fallen victim to a ransomware group named CI0p who have been exploiting the CVE-2023-0669 in GoAnywhere MFT. The exploit for this CVE had become available a day before the patch (7.1.2) was released.
GoAnywhere MFT is a tool that helps people securely share files between different systems, employees, customers, and partners.
Cl0p ransomware is a high-profile ransomware strain that has been active since 2019, with the group’s infamous “double extortion” tactic of threatening to release stolen data unless a ransom is paid.
The vulnerability had been caused by a deserialization bug which could be exploited by sending a post request to the endpoint at ‘/goanywhere/lic/accept’. A Metasploit module had also been developed to exploit this vulnerability.
GoAnywhere has released a patch for this vulnerability, and it is highly recommended to update all outdated versions.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid exposure of GoAnywhere MFT admin panel publicly and restrict it to authorized users only.
- Review admin user accounts for suspicious activity, including unrecognized usernames, accounts created by ‘system’ that aren’t recognized, suspicious timing of account creation, and non-existent or disabled super users creating accounts.
Lazarus Group Targets 3CX DesktopApp with Malicious DLL
Multiple incidents have been detected observing malicious activities linked to the use of 3CX DesktopApp – a legitimate software-based PBX phone system available on Windows, Linux, Android, and iOS.
Adversaries compromised installer files for at least two Windows versions (18.12.407 and 18.12.416) and two Mac versions (8.11.1213 and latest) of 3CX DesktopApp. These installers contain clean versions of the app as well as malicious DLLs, which were used to install information-stealing malware on affected computers. Once installed, the malware was observed to generate malicious activities such as beaconing to actor-controlled infrastructure (C2) and deployment of second-stage payloads.
The most common post-exploitation activity observed to date is the spawning of an interactive command shell. The attack has been attributed to a North Korean threat actor (Lazarus Group), who have been active since at least 2009 and involved in many campaigns targeting organizations in multiple sectors.
3CX has advised users to immediately uninstall the app. They released a software update within hours with a clean version of DesktopApp
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Monitor your network for abnormal behaviors and indicators of compromise (IoCs).
- Users of 3CX’s software should monitor the company’s communications. channels: they have a blog as well as a support-and-information forum.
Google Releases Security Update to Address Vulnerabilities in Chrome
Google has recently published a security update to address multiple vulnerabilities in Chrome browser that are now fixed in Chrome’s latest version 112.0.5615.49 (Linux and Mac), 112.0.5615.49/50 (Windows).
The update includes 16 security fixes.14 of them were identified by external researchers. Out of the 14 CVEs reported, 2 were classified as High, 9 as Medium, and 3 as Low in risk level.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Apple Releases Emergency Update to Address Zero-day Vulnerabilities
Apple has released emergency security updates to address two actively exploited zero-day vulnerabilities, tracked as CVE-2023-28205 and CVE-2023-28206, impacting iPhones, Macs, and iPads.
The zero-day CVE-2023-28205 is a ‘use after free’ issue that resides in the WebKit. An attacker can trigger the flaw by tricking the victims into loading maliciously crafted web pages, leading to arbitrary code execution.
The zero-day CVE-2023-28206 is an ‘out-of-bounds write’ issue that resides in the IOSurfaceAccelerator.
Apple has addressed the zero-day issues with the release of macOS Ventura 13.3.1, iOS 16.4.1, iPadOS 16.4.1, and Safari 16.4.1.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
MuddyWater Group Launches Destructive Attacks Under Ransomware Guise
The Iranian nation-state group, MuddyWater, have been carrying out destructive attacks on hybrid environments under the guise of a ransomware operation. In partnership with another emerging activity cluster, DEV-1084, they exploit known vulnerabilities in unpatched applications to infiltrate on-premises and cloud infrastructures. Once MuddyWater gains a foothold into the target environment, DEV-1084 conducts destructive actions to execute an espionage attack.
DEV-1084 has subsequently abused highly privileged compromised credentials to perform encryption of on-premises devices and large-scale deletion of cloud resources, including server farms, virtual machines, storage accounts, and virtual networks. Furthermore, the threat actors have gained full access to email inboxes through Exchange Web Services, using it to perform “thousands of search activities” and impersonate an unnamed high-ranking employee to send messages to both internal and external recipients.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files or attachments.
- Do not enable macros for unknown MS Office files.
- Enable software restriction policies and application whitelisting.
- Ensure that the email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviors and indicators of compromise (IoCs).
- Ensure frequent backups are in place.
- Block the IoCs within respective security controls throughout the organization.
- Educate employees about detecting and reporting phishing/suspicious emails.
References
- https://cloudsek.com/threatintelligence/cl0p-ransomware-group-targets-multiple-entities-by-exploiting-cve-2023-0669-in-goanywhere-mft
- https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
- https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack
- https://www.3cx.com/blog/news/desktopapp-security-alert/
- https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop.html
- https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/