Threat advisories

Top Middle East Cyber Threats – 15 Feb 2021

Feb-2021 8 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Microsoft SharePoint Remote Code Execution (RCE) Vulnerability – CVE-2021-1707

Organizations are advised to remediate important and serious vulnerabilities involving remote code execution flaw found in Microsoft SharePoint (CVE-2021-1707). This vulnerability is due to improper validation of website controls. It can be used by a remote attacker to execute arbitrary code within the context of the target system.

Affected products:

Microsoft SharePoint Server 2019
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Foundation 2010 Service Pack 2

For exploitation, a single authentication is required.

RECOMMENDATIONS

Apply the most recent upgrade or patch released by Microsoft.
Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Install a personal firewall, designed to reject unsolicited connection requests, on department workstations.
Establish comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.

Cyber Espionage Campaign by Static Kitten Against Government Agencies in UAE and Kuwait

In a recent investigation report, threat researchers discovered a malicious activity that is most likely linked to a cyber espionage organization from Iran. The Static Kitten group (aka MuddyWater, POWERSTATS, Temp.Zagros, MERCURY, Seedworm and NTSTATS) is known to target multiple sectors mainly located in the Middle East. Using tactics, techniques, and procedures (TTPs) aligned with previous Static Kitten operations, this new campaign uses ScreenConnect launch parameters designed as part of the custom field to target any MOFA with mfa[.]gov. The actors targeted numerous organizations through fake emails referring to the normalization of Arab-Israeli relations or through scholarship opportunities.

Researchers identified samples with references that were deliberately manipulated as Government of Kuwait and the UAE National Council. The report indicated that Static Kitten was using two ZIP files intended to lure users into downloading an alleged report on relations between Arab countries and Israel or a scholarship file. The emails originally contained a hyperlink that would then redirect the user to a OneHub-hosted downloader URL, which is an online file storage facility, once opened. In past campaigns, OneHub has been used by Static Kitten. A comparable second example uses a .docx file that attempts to direct users to a malicious URL that downloads a ZIP file. An EXE within the ZIP of the same name will also begin the installation phase of ScreenConnect when it is executed.

Due to the broad range of functionalities it provides, remote desktop management software is a popular target and tool used by threat actors. OneHub has previously been attributed to an Iran-nexus campaign known as Operation Quicksand.

RECOMMENDATIONS

Do not open suspicious emails, click on unknown links or attachments. The easiest approach to check a link is by hovering over it with your mouse.
Use multi-factor authentication (MFA) for all services, especially webmail, virtual private networks, and accounts that access critical systems.
Apply the Principle of Least Privilege wherever applicable to all systems and services.
Establish comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.
Make sure to check the file extensions of the files you downloaded. Document files do not use .EXE or .LNK file format.
Install a personal firewall, designed to reject unsolicited connection requests, on department workstations.
Use portable media (for example, USB thumb drives, external drives, CDs) with caution.
Block the indicators of compromise within respective security controls organization wide.

Uncovering “Raindrop” Malware from Further SolarWinds Investigation

In a recent investigation report, Symantec found an additional piece of malware used in the SolarWinds attacks which was used against a small group of victims who were of concern to the attackers. The Raindrop loader was found to be somewhat similar to the already reported Teardrop tool. Raindrop (Backdoor.Raindrop) is a loader which delivers a payload of Cobalt Strike. Although the original Sunburst backdoor (Backdoor.Sunburst) supplied Teardrop, Raindrop appears to have been used for spreading around the network of the victim. The investigation does not show proof that Raindrop has been sent directly by Sunburst till date. Rather, it appears elsewhere on networks where Sunburst has already infected at least one device.

Like Teardrop, Raindrop uses a custom packer to pack Cobalt Strike and act as a loader for Cobalt Strike beacon. Raindrop is compiled as a DLL, developed from a modified 7-Zip source code version. Three samples were configured to use HTTPS as a communication protocol by Cobalt Strike through 4 different samples discovered by Symantec, and the fourth was configured to use SMB Named Pipe as a communication protocol. Although Teardrop was used on computers compromised by the original Sunburst Trojan, Raindrop was used elsewhere on the network to move laterally and deploy payloads on other computers by the attackers.

RECOMMENDATIONS

Apply missing security patches immediately and institutionalize security patching as part of a periodic process.
Apply the Principle of Least Privilege wherever applicable to all systems and services.
Establish comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.
Restrict the right of users to install and run unauthorized software applications (permissions). Do not connect users to the group of local administrators unless necessary.
Do not open suspicious emails, click on unknown links or attachments. The easiest approach to check a link is by hovering over it with your mouse.
Make sure to check the file extensions of the files you downloaded. Document files do not use .EXE or .LNK file format.
Install a personal firewall, designed to reject unsolicited connection requests, on department workstations.
Use portable media (for example, USB thumb drives, external drives, CDs) with caution.
Block the indicators of compromise within respective security controls organization wide.

APT Group (Lebanese Cedar) Targeted Hosting Services, Telecoms & ISPs Worldwide

Recently, suspicious network activities and hacking tools have been discovered across several organizations and detailed examination of the compromised networks has shown a clear connection to a threat actor identified as “Lebanese Cedar”. Researchers indicate that “Lebanese Cedar” APT has been active since 2012. Check Point researchers and Kaspersky labs first discovered the activities of this APT group in 2015. “Lebanese Cedar” APT has maintained a low profile and worked under the spotlight since 2015, and it has even been referred to as “Volatile Cedar”. The “Lebanese Cedar” APT group was linked by ClearSky experts to intrusions involving telecommunications companies, internet service providers, hosting providers, and managed hosting and application companies.

Intrusion into Oracle and Atlassian Web servers is the key attack vector of the APT group. A detailed report notes that the intrusion into all these systems was carried out by leveraging known vulnerabilities in unpatched systems and utilizing open-source hacking tools to find loopholes.

Help AG has received credible intelligence suggesting that the threat actor has either provided or sold the exploit kit to members of a militant paramilitary organization. We have reasons to suspect that the following vulnerabilities are most prone to exploitation based on this reliable intelligence:

There are a number of indications linking recent attacks to a politically motivated group, where the focus of the threat actor is to gather information and steal sensitive data from targeted businesses. Interestingly, “Lebanese Cedar” is the only known threat actor using this code to deploy the Explosive RAT payload to the victim network. The group’s compromised servers were primarily found in Europe, but also in the United Arab Emirates, Egypt, Saudi Arabia, and more. We expect the threat group to target UAE organizations, based on intelligence received from our cyber intelligence partners. The group is also expected to leverage the vulnerabilities to identify potential passwords and technical documents stored in vulnerable JIRA systems.

RECOMMENDATIONS

Apply missing security patches immediately and institutionalize security patching as part of a periodic process.
Check the known exploitable vulnerabilities listed in the advisory description and apply necessary patches as a priority.
Apply the Principle of Least Privilege wherever applicable to all systems and services.
Establish comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.
Restrict the right of users to install and run unauthorized software applications (permissions). Do not connect users to the group of local administrators unless necessary.
Block the indicators of compromise within respective security controls organization wide.

Remote Code Execution Vulnerabilities in Cisco Small Business Routers

Cisco reported several vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers. The vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. The primary cause of the vulnerabilities was confirmed to be improper HTTP request validation.

These vulnerabilities may be exploited by an attacker by sending a modified HTTP request to an affected device’s web-based management interface. Successful exploit may allow the attacker to execute arbitrary code on the computer remotely.

Cisco has released software updates to address the vulnerabilities that are impacting the vulnerable products.

The Cisco advisory also noted that the products below were not vulnerable: