TOP MIDDLE EAST CYBER THREATS- 16 DECEMBER 2018
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
1) Oil & Gas Sector Under Attack Once Again from Shamoon
Shamoon, one of the most destructive malware families has reemerged. The malware that caused damage to Saudi Arabia’s largest oil producer in 2012 appears to be continuing this trend and is primarily targeting energy sector organizations in the Middle East.
The new edition, Shamoon 3, also called as Disttrack, works by disabling systems by overwriting their key computer files, which include the master boot record (MBR), thus making it impossible for computers to start up. The malware rapidly propagates across infected networks using the Windows Server Message Block (SMB) protocol, quite like other known malware families like WannaCry and NotPetya.
This information comes from the reconnaissance stage of the attack i.e. when the threat actor collects access logins. In this case, no credentials were found, although the capability to use them was still present. This also means that no clues could be obtained that tie the malware to a target.
Prevention and Remediation:
- Blacklist the indicators of compromise (IoCs) to help identify and prevent any attempt to exploit domain user machines via similar threat actors.
- Exercise caution when receiving unsolicited, unexpected, or suspicious emails.
- Enable strict web filtering features to prevent access to external domains from within the organization.
- Deny domain users the privilege of running executable files without necessary permissions.
- Assess the risk of all vulnerabilities to proactively mitigate the most critical risks identified.
- Enforce a complex password policy. Such complex passwords make it difficult to crack password files on compromised computers.
- Ensure that programs and users use the lowest level of privileges to complete a task. When prompted for a root or UAC password, ensure that the program asking for such administration-level access is a legitimate one.
- Enable advanced account security features, like 2FA, multi-factor authentication, and login notifications, if available.
2) Laying the Seed for Cyber Espionage
Seedworm, also named MuddyWater, is an APT group that has been operating since 2017, with its most recent activity observed just this month. This group has been compromising government agencies, oil and gas organizations, NGOs, telecoms and IT firms.
The threat actors were found to be highly active since September-2018, targeting more than 130 victims in 30 organizations. Seedworm’s motivations are similar to other cyber espionage groups, i.e they seek to acquire actionable information about the targeted organizations and individuals. They accomplish their objectives with a preference for speed and agility over operational security.
This relatively new espionage group has been proven to be highly adaptive by using GitHub to store their malware. They have also been carefully observing the developments in the InfoSec domain via social networking.
This approach has helped the gang evolve their tools on a constant basis. The latest tool associated with this group is known as “Powemuddy”, which is used as a backdoor in the initial stages of the attack to establish persistence on the targeted machine. After compromising a system, the group runs a tool that steals passwords saved in the users’ web browsers and email, demonstrating that access to the victims’ email, social media pages, and chats is one of their objectives.
Seedworm victims are located in countries/regions such as Turkey, Russia, Saudi Arabia, Afghanistan, Jordan, and the US. Additionally, the group has compromised organizations in Europe and North America that have ties to the Middle East.
Prevention and Remediation:
- It is recommended to explicitly deny all incoming connections from your firewall and only allow services you want to offer to the outside world.
- Enforce a complex password policy. Such complex passwords make it difficult to crack password files on compromised computers.
- Ensure that programs and users use the lowest level of privileges to complete a task. When prompted for a root or UAC password, ensure that the program asking for such administration-level access is a legitimate one.
- If file sharing is present on your network, then it is advisable to use ACLs and password protection to limit access. Disable anonymous access to shared folders, thus granting access only to the user accounts with strong passwords.
- Always keep patches up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
- Configure your email server to block or remove email that contains file attachments which are commonly used to spread threats, such as .vbs, .bat, .exe, .pif, .scr files, etc.
- Employees must be trained to avoid opening attachments unless they are expecting them. Also, they must be instructed not to execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised website can cause a potential infection if browser vulnerabilities are not patched.
3) DanaBot is Back with Menacing New Upgrades
The threat actors who created DanaBot, the modular banking trojan that attempts to steal account credentials and information from online banking websites, updated the malware with new features. These enable it to harvest email addresses and send out spam from the victims’ mailboxes.
DanaBot is now observed to have a much broader scope than a typical banking Trojan, with its operators regularly adding new features, testing new distribution vectors, and possibly cooperating with other cybercriminal gangs.
The latest variant of the malware achieves its objective by injecting JavaScript code into the pages of specific web-based email services. This threat activity has been recently observed from regions such as Europe, Italy, Germany, and Austria.
Prevention and Remediation:
- Secure/restrict the use of remote access functionalities such as RDPs.
- Blacklist the known list of indicators of compromise (IOCs) to prevent any activity targeting internal users/machines.
- Always maintain patched and up-to-date systems, networks, servers and gateways
- Employ multi-factor authentications in order to prevent any access by threat actors in case of stolen credentials.
- Restrict regular users from using admin privileges on their endpoint machines.
- Proactive monitoring of the network for any suspicious activity, such as C2 communication, data exfiltration, and lateral movement is recommended
As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.
Ben Abraham, CSOC Lead at Help AG