Top Middle East Cyber Threats – 11 October 2021

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Google Chrome patches 2 actively exploited zero-days

Google has released Chrome 94.0.4606.71 for Windows, Mac, and Linux, an emergency update addressing 2 zero-day vulnerabilities exploited in the wild.

CVE-2021-37975 and CVE-2021-37976 are part of a total of four patches, and concern a use-after-free flaw in V8 JavaScript engine as well as an information leak in core.

RECOMMENDATIONS

• Install patches and keep systems up to date.
• Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.

Apache fixes a zero-day vulnerability

The Apache Software Foundation has released version 2.4.50 of the HTTP Web Server to address two vulnerabilities, one of which is an actively exploited path traversal and file disclosure flaw.

The actively exploited zero-day vulnerability is tracked as CVE-2021-41773 and it enables actors to map URLs to files outside the expected document root by launching a path traversal attack.

Since the disclosure of the vulnerability, security researchers have been able to reproduce the vulnerability and warned that admins should patch immediately.

The second vulnerability is CVE-2021-41524, a null pointer dereference detected during HTTP/2 request processing. This flaw allows an attacker to perform a denial of service (DoS) attack on the server.

RECOMMENDATIONS

• Install patches and keep systems up to date.
• Hunt for payload used in PoC to detect any possible attack attempts.
• Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.

Android October patch addresses 3 critical flaws

Google has released the Android October security updates, addressing 41 vulnerabilities.

 This update also incorporates fixes for the 10 vulnerabilities that were addressed in the Security patch level 2021-10-01, released a couple of days back.

The high-severity flaws fixed this month concern denial of service, elevation of privilege, remote code execution, and information disclosure issues.

The three critical severity flaws in the set are tracked as:

• CVE-2021-0870
• CVE-2020-11264
• CVE-2020-11301

RECOMMENDATIONS

• Install patches and keep systems up to date.

Operation GhostShell targets global aerospace and telecommunications companies

Researchers discovered a highly targeted cyber espionage campaign in the Middle East, primarily targeting the aerospace and telecommunications industries, with victims in the US, Russia, and Europe. Operation GhostShell is a nefarious campaign aimed at stealing sensitive information about organizations’ critical assets, infrastructure, and technology.

ShellClient, a stealthy RAT (Remote Access Trojan) that was used as the primary espionage tool, was discovered during the investigation. The ShellClient RAT has been in active development since at least 2018, with several iterations introducing new functionalities while evading antivirus tools and remaining undetected and publicly unknown. MalKamak, a new Iranian threat actor active since at least 2018 and still shrouded in secrecy, was discovered as a result of observations directed at the operators and authors of ShellClient.

ShellClient’s authors put a lot of effort into making it stealthy to evade detection by antivirus and other security tools.

RECOMMENDATIONS

• Make efforts to increase visibility through endpoint detection, response, and logging. Endpoint monitoring tools are critical for detecting suspicious activity in an environment after other controls have been circumvented.
• Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
• Ensure that the systems are correctly configured and that security features are enabled.
• Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
• Use multi factor authentication (MFA) for all services, especially webmail, virtual private networks, and accounts that access critical systems, to the extent possible.
• Block indicators of compromise within respective security controls organization wide.

References:

• https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html
• https://twitter.com/ptswarm/status/1445376079548624899?s=19
• https://httpd.apache.org/security/vulnerabilities_24.html
• https://source.android.com/security/bulletin/2021-10-01
• https://www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms