Top Middle East Cyber Threats – 14 Sep 2020
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
DVMRP Memory Exhaustion Vulnerabilities in Cisco IOS XR Software
Cisco recently reported two zero-day vulnerabilities dubbed CVE-2020-3566 and CVE-2020-3569 in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software.
These vulnerabilities could allow unauthenticated, remote attackers to exhaust the process memory of an affected device. The vulnerabilities are due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols.
The two zero-day vulnerabilities CVE-2020-3566 and CVE-2020-3569 have an impact on Cisco devices running any version of Cisco IOS XR Software with multicast routing enabled on any of its interfaces. Help AG addressed the importance of implementing the necessary workarounds to mitigate the potential impact of vulnerability CVE-2020-3566 dated 30 Aug 2020.
On 31 Aug 2020 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an advisory warning administrators to deploy necessary workarounds as soon as possible. Only products listed in the “Affected Products” section of the official notification are confirmed to have been impacted.
Recommendations
- Review the official notification and implement necessary workarounds in accordance with the steps provided by the manufacturer.
- Implement rate limiter as a first line of defense and further implement an access control entry (ACE) to an existing interface where access control list (ACL) is configured. Alternatively, customers can also create new ACL for a specific interface that denies DVMRP traffic inbound on that interface.
Cisco Updates on ASA and FTD Read-Only Path Traversal Vulnerability-CVE-2020-3452
Earlier this year on 22 July 2020 Cisco reported a “High” severity read-only path traversal vulnerability dubbed CVE-2020-3452 in Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services. This vulnerability in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software’s web services interface could allow an unauthenticated, remote attacker to perform directory traversal attacks and read sensitive files on a targeted system.
Cisco researchers were already aware of the existence of public exploit code and of the vulnerability’s (CVE-2020-3452) successful exploitation. Cisco’s latest amendment clarifies that VPN user login credentials are not exposed, including updates to the availability of fixed software.
Only products listed in the “Vulnerable Products” sections of the official notification are confirmed to have been impacted.
Recommendations
- Review the official notification and apply necessary patches as soon as possible.
Firefox Security Updates
Mozilla Foundation Security has issued three “High” severity security alerts (MFSA 2020-36, MFSA 2020-37, and MFSA 2020-38) to fix multiple vulnerabilities in the Firefox browser. A local attacker may replace the Mozilla Maintenance Service executable with a vulnerable version. Similarly, a remote attacker could also entice a user running a vulnerable browser to visit a web page with specially crafted content to exploit the vulnerabilities.
Affected Products:
| Notification Reference | Details |
| MFSA 2020-36 | Security Vulnerabilities fixed in Firefox 80 |
| MFSA 2020-37 | Security Vulnerabilities fixed in Firefox ESR 68.12 |
| MFSA 2020-38 | Security Vulnerabilities fixed in Firefox ESR 78.2 |
Successful exploitation of the vulnerabilities could lead to arbitrary code execution, information disclosure, escalation of privilege, security restriction bypass or installation of malicious extension on an affected system.
Recommendations
- Download the latest release of Firefox 80 for Windows, Macintosh, and Linux from official resources only. Firefox 80 for Windows, Macintosh, and Linux can be downloaded from this link. Firefox ESR 68.12 and 78.2 for Windows, Macintosh, and Linux can be downloaded from this link.
APT Group DeathStalker Strikes Again
Ransomware attacks and customer data leaks to competitors are some of the widely identified risks modern organizations face in recent times. DeathStalker (a group of mercenaries) is a specific threat group usually found targeting law firms and financial-sector companies out of the number of adversary groups. They offer hacking services or act as information broker in financial circles.
Recently, DeathStalker group began its operation leveraging spear-phishing emails with attached archives that contain a malicious LNK file. The attachment appears to be a normal document from the Explorer or from popular zip-extraction products. Attempts to open the attachment from the email lead to the execution of the command prompt, resulting in the execution of arbitrary code on the victim’s machine.
Continuous enhancement of the toolchains and the way the evasion techniques have been designed in the recent campaign shows how the actors rigorously test each build against popular endpoint detection tools. By monitoring the group since 2018, Kaspersky was able to associate its activities with the three malware families namely Powersing, Evilnum, and Janicub.
Powersing-related activities have also been observed in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the United Kingdom, and the United Arab Emirates since the beginning of the Pandemic. The main emphasis on public disclosure of information related to DeathStalker serves as the basis of what private sectors should be able to defend against.
Recommendations
- Do not open suspicious emails, click on unknown links or attachments. The easiest approach to check a link is by hovering over it with your mouse.
- Make sure to check the file extensions of the files you downloaded. Document files do not use .EXE or .LNK file format.
- Do not open attachments unless you fully trust the source they came from.
- Block indicators of compromise within respective security controls organization wide.
References:
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz
- https://www.tenable.com/blog/cve-2020-3566-cve-2020-3569-zero-day-vulnerabilities-in-cisco-ios-xr-software-targeted-in-the https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86
- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&securityImpactRatings=high&lastPublishedStartDate=2020%2F08%2F26&lastPublishedEndDate=2020%2F08%2F26
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-36/
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-37/
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-38/
- https://securelist.com/deathstalker-mercenary-triumvirate/98177/
