Threat advisories

Top Middle East Cyber Threats – 16 August 2021

Aug-2021 5 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

STORMOUS Ransomware Attacks

Help AG Cyber Threat Intelligence Team is aware of a recent activity by threat actor STORMOUS, claiming that they are planning to start new cyber-attacks targeting Dubai companies by infecting them with ransomwares.

STORMOUS engaged recently in multiple web defacement attacks using Web App vulnerabilities as initial access points.

The threat actor published a new post on 4 August 2021 in their Telegram channel indicating that they are almost finished with Saudi Arabia and the new targets will be Dubai companies.

Graphical user interface
Description automatically generated

“Welcome: I think that we are close to finishing the attack against Saudi Arabia, but let’s say that we have penetrated four companies and its largest site. That is why we say to you that the breaches that will be against Dubai will be specific to its company, so there will be ransomware attacks soon.”

RECOMMENDATIONS

Ensure all systems and security controls are patched and up to date.
Ensure all public facing servers are protected behind Web Application Firewalls.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Ensure frequent offline backups are in place.
Educate employees about detecting and reporting phishing/suspicious emails.

Cisco Security Updates

Malware authors are well-known for closely monitoring critical vulnerabilities and attempting to weaponize them for future attacks. Cisco recently disclosed one “Critical”, four “High”, and four “Medium” vulnerabilities across its product lines, including the Cisco ASDM, RV340, and RV340W, among others.

The critical vulnerability reported by Cisco combines multiple vulnerabilities in the web-based management interface of the Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers, which could allow an attacker to execute arbitrary code, cause a denial of service (DoS) condition and execute arbitrary commands. Cisco has issued software updates to address these vulnerabilities. At this stage there are no workarounds available to address these flaws.

RECOMMENDATIONS

Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Comply with the official notification issued by Cisco and patch vulnerable infrastructure as soon as possible so that threat actors do not exploit them.
Ensure that the systems are correctly configured and that the security features are enabled.
Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
Use Multi-Factor Authentication (MFA) for all services to the extent possible.

SystemNightmare

Researchers have been able to release a PoC proving that Microsoft wasn’t able to fix the PrintNightmare vulnerability completely.

A new PoC with the name SystemNightmare was produced by Kevin Beaumont utilizing this vulnerability. The .bat file will lead to local EoP and gives instant command prompt with SYSTEM privileges.

Kevin Beaumont claimed that the PoC will work on all supported and legacy versions of Windows.

Help AG found recent posts in hacking forums discussing this vulnerability and it is highly possible that threat actors will start developing exploits to perform local privilege escalation attacks.

Graphical user interface, text, application, chat or text message
Description automatically generated

RECOMMENDATIONS

Configure a policy setting that restricts package point and print connections to approved servers.
Restrict outbound CIFS/SMB/RPC traffic.

Microsoft Security Updates – August 2021

Microsoft released the August 2021 patch along with a series of updates that addressed high-severity flaws in a variety of products. As part of its August 2021 updates, Microsoft fixed 44 security flaws, including 51 vulnerabilities in Microsoft Edge.

The official notification includes seven “Critical” vulnerabilities and the remaining 37 vulnerabilities are classified as “Important”.

CVE-2021-36948 is a privilege escalation vulnerability in the Windows Update Medic Service with a CVSS rating of 7.8 out of 10. This vulnerability was reported and patched internally, and it was also known to be exploited in the wild as a zero-day.

Windows LSA spoofing flaw (CVE-2021-36942) is a publicly known vulnerability, rated as “Important” by security researchers but has a CVSS score of 9.8. According to some research reports, this patch provides “further protection against NTLM relay attacks” associated with the PetitPotam attack. CVE-2021-36936 is another publicly known vulnerability. It is rated Critical (CVSS 8.8) and impacts the Windows print spooler and could allow remote code execution (RCE) attacks.

Microsoft has changed the way Windows Point and Print works to address PrintNightmare. With the August patches in place, only administrators will be able to install printers or print drivers.

This month, security researchers have identified a Critical remote desktop client RCE vulnerability (CVE-2021-34535) with a CVSS score of 9.9. An attacker can gain control of a system if they can persuade an affected RDP client to connect to an RDP server they control. A malicious program running in a guest VM on a Hyper-V server could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer.

Some other Critical vulnerabilities receiving patch this month includes:

RECOMMENDATIONS

Review the August 2021 “Release Notes” and “Deployment Information” for more details and apply the necessary patches as soon as possible.
Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Microsoft provides Knowledge Base article KB5005652 if organizations want to change the default functionality of Point and Print (which Microsoft does not recommend). It describes how to make some Registry changes, For a better understanding before implementing any changes, please refer to it.

References: