Threat advisories

Top Middle East Cyber Threats – 12 May 2020

May-2020 3 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Zero Day Vulnerability in SharePoint

Microsoft has released yet another advisory related to the vulnerability (CVE-2020-0932) existing in Microsoft SharePoint. It exists because the software fails to check the source markup of the application. As a result, an attacker exploiting this vulnerability can run an arbitrary code in SharePoint server farm account and SharePoint application pool. It impacts Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 Service Pack 1 and Microsoft SharePoint Server 2019.

To exploit this vulnerability, the attacker must have “Add or Customize Pages” permission on a SharePoint site or one page on the site. The default configuration of SharePoint allows an authenticated user to create their own site.

Recommendations

Make sure to install and update the latest patches^[¹^][²^][³^] as soon as possible.
Ensure SharePoint service accounts (farm, web application pools, service application pools, crawl accounts, etc.) are NOT local machine administrators on any machine in the domain including the SharePoint and SQL Servers in the farm.
Keep SharePoint up to date by installing Cumulative Updates every month. Install security hotfixes ASAP after release.
Only publish SharePoint sites externally if there is a clear business reason to do so, and when publishing use a reverse proxy to control access to the published sites.
Use HTTPS and certificates to encrypt connections to the SharePoint servers.
Keep server-level antivirus systems up-to-date and use a SharePoint antivirus solution to ensure content is scanned when uploaded and downloaded.

Hackers Exploiting Zero Day in Sophos Firewall

Sophos received a report from its customers for a suspicious field value in the management interface. After investigating the disclosure Sophos learnt that this was an active attack not an error in its product. An unknown SQL injection vulnerability was used to expose the XG Device, Sophos confirmed in its security advisory on 27th April 2020.
Sophos XG Firewall device was under the radar when attackers realized that the administration (HTTPS service) or the User Portal Control panel was exposed to the Internet. A successful attack can lead attackers to execute multiple shell scripts that allow installing executable files designed to run on the Firewall’s operating system starting with a shell script install.sh. This allowed attackers to install programs that maintain persistence and conceal their activities.
Recommendations

Firewall administrators should review the latest release notes from Sophos that explains how to enable automatic installation of hotfixes if it is not enabled already.
Firewall administrators should refer the hardening guidelines published by Sophos to avoid SQL injection vulnerability and malicious code execution in XG Firewall.
Refer to the guidelines published by Sophos that details steps on how to disable the Firewall’s administration interfaces on the internet-facing ports if the feature is not required.
Additional recommendations:
- Reset portal administrator and device administrator accounts.
- Reboot the XG device(s)
- Reset passwords for all local user accounts.
- Reset credentials for any accounts where the XG passwords might have been reused.
Please block the indicators of compromise discovered during different stages of analysis by Sophos researchers.

Microsoft Teams Account Takeover Vulnerability
Microsoft has fixed a security flaw in Microsoft Teams that, if left unattended, could have been exploited to take over corporate user accounts. Security researchers revealed a flaw in Microsoft Teams that empowered an attacker to steal messages from user accounts by sending a malignant GIF picture.
CyberArk researchers provided a proof of concept (PoC) that materializes this stealthy flaw using a malicious GIF image that automatically contacts a subdomain to load the image. CyberArk disclosed its findings to Microsoft with the tech giant responding swiftly by correcting its misconfigured Domain Name System records. Microsoft issued a fix for Teams on 20th April 2020.
Recommendations

Users and administrators should review the latest release notes related to Microsoft Teams and apply necessary updates at the earliest.
Do not click on suspicious or unknown links.
Do not open attachments unless you fully trust the source it came from.

References