Threat advisories

Top Middle East Cyber Threats – 13 September 2021

Sep-2021 4 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

ProxyToken Vulnerability in Exchange Servers

System administrators need to apply the Microsoft Exchange security updates for July 2021, as the Exchange servers contain a major security flaw that can allow devastating attacks. The bug, which was reported in April, was fixed with the July 2021 Patch Tuesday security updates under the CVE-2021-33766 identifier. A remote attacker can exploit the ProxyToken vulnerability to bypass authentication and change the backend configuration of an Exchange email server.

The ProxyToken flaw could be exploited to covertly add an email forwarding rule to a user’s mailbox, causing all emails addressed to the victim to be forwarded to an account controlled by the attacker. The vulnerability exists for two reasons: requests with a non-empty cookie named “SecurityToken” that are redirected from the frontend to the backend are not authenticated, and HTTP 500 error responses expose an Exchange control panel canary token.

RECOMMENDATIONS

Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plug-ins, and document readers. Please refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Review the July 2021 “Release Notes” and “Deployment Information” for more details and apply the necessary patches.
Ensure that the systems are correctly configured and that the security features are enabled.
Disable ports and protocols that are not used for business purposes.
Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
Use multi factor authentication (MFA) for all services, especially webmail, virtual private networks, and accounts that access critical systems, to the extent possible.

Cisco Enterprise NFV Infrastructure Software Authentication Bypass Vulnerability

Cisco released an advisory for a critical vulnerability in the TACACS+ authentication, authorization and accounting (AAA) feature of Cisco Enterprise NFV Infrastructure Software (NFVIS) that could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator.

This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script. An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device.

This vulnerability affects Cisco Enterprise NFVIS Release 4.5.1 if the TACACS external authentication method is configured.

RECOMMENDATIONS

Apply the patches and keep the systems updated as per the details here.

Microsoft MSHTML Remote Code Execution Vulnerability – CVE-2021-40444

Microsoft has detected a number of attacks targeting a remote code execution vulnerability in MSHTML, which affects Microsoft Windows. The vulnerability (CVE-2021-40444) affects Windows Server 2008 – 2019 and Windows 8.1 – 10 and has a severity rating of 8.8.

According to the notification, Microsoft Office by default opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack.

The advisory states that Microsoft Defender Antivirus and Defender for Endpoints both protect victims from this vulnerability. Anyone who has the tools and uses automatic updates is secure. The Microsoft Defender alerts is labelled as “Suspicious Cpl File Execution”.

The Cybersecurity and Infrastructure Security Agency (CISA) issued a notification emphasizing the importance of implementing mitigation measures to reduce the impact of this vulnerability.

RECOMMENDATIONS

Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plug-ins, and document readers. Please refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Choose detection build 1.349.22.0 or newer and deploy it across your environments if you self-manage Microsoft Defender updates.
Review the official notification and implement necessary workarounds to mitigate the risk until an official patch is available.

Ghostscript RCE advisory

A New Ghostscript RCE 0-day vulnerability has been disclosed in proof-of-concept code made available on github by Vietnamese security researcher Nguyen The Duc.

Ghostscript is a small library for processing PDF documents and PostScript-based files.
While primarily used for desktop software, Ghostscript is used server-side for image processing by toolkits, such as ImageMagick.
The POC posted on Github allows an attacker to upload a malformed SVG file that escapes the image processing pipeline and runs malicious code on the underlying operating system. The POC is performed on an Ubuntu server running the default settings for ImageMagick.

RECOMMENDATIONS

Do an inventory for application using ImageMagick with Ghostscript 9.50. If applications are identified running older versions of Ghostscript they must be patched to the latest version 9.54.
Make efforts to increase visibility through endpoint detection, response, and logging. Carry out table top exercises for preparedness. Fostering a culture that emphasizes security awareness and allows employees to work efficiently in a crisis reduces the overall frequency, impact, and cost of security incidents.

References: