TOP MIDDLE EAST CYBER THREATS-15 MARCH 2018

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures for some of the largest enterprises in the region. As a result of this, we have our eyes keenly fixed on the cyber security threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top three cyber security threats that our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

MEA Malware that Can ‘Steal What it Wants’

“Slingshot” was recently uncovered by Kaspersky Lab in the Middle East and Africa (MEA). This powerful Advanced Persistent Threat (APT) has infected thousands of victims across the region by hacking their MikroTik routers- though it is possible that other manufacturers’ routers are infected too. While it isn’t clear yet how the routers were infected in the first place, we now know these compromised devices are being used to load malicious modules on the victim’s system including Cahnadr and GollumApp, both of which are extremely powerful.
Analysis indicated that the attackers can gather information, and exfiltrate data such as screenshots, keystrokes, network data, clipboard data, USB connections and possibly much more given the code’s access to the kernel.

Hidden Cobra Targets Turkish Financial Sector

Cybercrime group Hidden Cobra continues to target cryptocurrency and financial organizations. As per the intelligence, financial organizations in Turkey were targeted via spear phishing emails containing a malicious Microsoft Word document. The document contains an embedded Adobe Flash exploit which exploits vulnerability- CVE-2018-4878which tries to create a process to download its payload from the url (http://falcancoin.io/data/) and then execute the malicious payload. Even though Turkey is currently the targeted country, financial institutions in other regions should also keep watch.
Our Recommendations
Check and upgrade to the latest Adobe Flash Player (version 28.0.0.161). Adobe Flash Player installed with Google Chrome, Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version. However, systems which do not have internet connectivity will need to be updated separately.
Security teams should also educate users on how to identify and report suspicious emails and ensure the right controls are in place to scan and sanitize inbound emails- such as using sandbox technology to scan all incoming emails.

Memcached Amplified DDoS Attacks Hit 7000+ websites

In the last 10 days we have seen the largest amplification Distributed Denial of Service (DDoS) attacks in history, targeting a large number of globally reputed organizations. This included a 1.7Tbps DDoS attack against Github. Instead of using a botnet network, attackers amplified their attacks by weaponizing misconfigured Memcached servers.
What is Memcached?
Memcached is a massive web-based memory caching system for database-driven sites, such as websites, that caches the most frequently retrieved data and keeps it in memory rather than getting it from the hard disk over and over again. It is a combination of open-source software and standard server-based memory hardware.
Attack explanation
These attacks achieve amplification by directing requests towards a Memcached server on port 11211 with a spoofed address of the victim. The response from the Memcached server will be 10,000x times the request- thus the amplification. This is possible as the developers of Memcached have implemented support for the UDP protocol in an insecure way. These poorly implemented UDP ports can therefore be exploited to execute DDoS attacks.
As always, at Help AG, we’re here to protect your organization against these any other cyber threats so please reach out to us for all your cyber security needs.
Blog By:
Majid Khan, Manager Cybersecurity Managed Services at Help AG