Top Middle East Cyber Threats – 16 Dec 2020

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cyber security threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cyber security threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Critical Zero-Day Vulnerability in VMware Workspace ONE – CVE-2020-4006 – Update

VMware initially published workarounds to address the recently disclosed critical zero-day vulnerability tracked as CVE-2020-4006, but now VMware has finally released security updates to fix this vulnerability.

The Cybersecurity and Infrastructure Security Agency (CISA) also published an advisory notifying its customers of the importance of incorporating the security updates published by VMware.

RECOMMENDATIONS

• Review the official notification (VMSA-2020-0027.2) and deploy necessary updates as soon as possible.
• Review the ‘Fixed Version’ column of the ‘Response Matrix’ in the official notification from VMware.
• Download and deploy security updates from the official resources by VMware.

Microsoft Security Updates – December 2020

Microsoft patched 58 security flaws in Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Microsoft Office and Office Services and Web Apps, Exchange Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK, and Azure Sphere as part of its December 2020 updates on December 8. The official notification from Microsoft noted 9 critical, 46 important and 3 moderate severity vulnerabilities.

The Microsoft Exchange Remote Code Execution Vulnerability tracked as CVE-2020-17132 was one of the most serious vulnerabilities in the stack. According to the official note, an attacker needs to be authenticated to exploit this vulnerability. This means that you can take over the whole Exchange Server if you take over a mailbox.

In the pool of patched vulnerabilities this month, Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2020-17121) is also critically important. This vulnerability could permit an authenticated user to run arbitrary .NET code in the context of the SharePoint Web Application service account on the affected server. Authenticated SharePoint users can build sites in their default configuration that include all required permissions, which are prerequisites for launching an attack. Similar issues that were resolved earlier this year have received quite a bit of coverage, and Help AG suspects this one might attract the same attention. It is already known that malware authors closely follow-up on Microsoft monthly security updates, identify vulnerabilities that have a significant impact, and try to weaponize for future attacks.

Another patch rectifies a vulnerability (CVE-2020-17095– Hyper-V Remote Code Execution Vulnerability) that could allow an attacker to escalate privileges from code execution on a Hyper-V guest to code execution on a Hyper-V host by transferring invalid vSMB packet data. It is evident from the official notification that no special permissions are required on the guest OS to exploit this vulnerability. Also, this vulnerability has the highest CVSS score of 8.5 for the current release.

The Kerberos Security Feature Bypass Vulnerability patch noted as CVE-2020-16996 corrects a Kerberos Security Feature Bypass (SFB) bug. At this point, details of this patch are limited to Microsoft and currently, due to its sensitivity, only CVSS score is provided. Microsoft has released instructions in a new KB article on handling the implementation of RBCD/Protected User modifications that are likely to help defend against RBCD attacks.

The complete list of critical vulnerabilities for comparison is highlighted below:

Only one interestingly affects the browser from the December 8 patch of the remaining critical-rated updates. As per the official notification, this patch corrects a bug within the JIT compiler. One more patch is included for SharePoint, followed by some additional patches for Exchange. There are two Important-rated Exchange patches that are reported to be similar to Critical-rated patches. Outlook, PowerPoint and Excel are affected by 10 Office bugs recorded as important severity vulnerabilities. There is a patch linked to the Windows Overlay Filter security feature bypass (SFB) included alongside the Windows SFB lock screen, probably the most interesting one this month. An attacker with physical access could bypass the lock screen of someone who signed in and locked the session.

Thankfully, Microsoft’s December 2020 bulletin brings a substantially lower load of vulnerabilities compared to the prior months, with no vulnerabilities currently known to be exploited in the wild. On December 8, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an advisory highlighting the significance of the earliest implementation of the December 2020 patch.

RECOMMENDATIONS

• Review the December 2020 Release Notes and Deployment Information for more details and apply the necessary patches as soon as possible.
• Review Microsoft’s newly released upgrade guide, launched earlier this year, to quickly uncover relevant bugs.
• Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
• Review ADV200013 that provides guidance on a spoofing vulnerability in the DNS Resolver. The official notification suggests that the UDP buffer size be limited to 1221, which will cause larger DNS queries to switch to TCP.

Supply Chain Attack on SolarWinds Orion

FireEye recently uncovered a global intrusion campaign where the threat actors behind the campaign were tracked as UNC2452. This attack is a trojan supply chain attack that upgrades SolarWinds Orion business applications software and builds versions from 2019.4 HF 5 to 2020.2.1 to spread malware dubbed SUNBURST. An Emergency Directive from Department of Homeland Security (DHS) notified multiple US companies and government institutions to comply with the guidelines.

The post-compromise activity of the attacker leverages various techniques to evade detection and conceal their activity, but these attempts still offer some detection opportunities. The FireEye report confirms that after this supply chain compromise, lateral movement and data theft have been implicated as a post-compromise activity. Using the MITRE ATT&CK framework, the possible tactics of threat actors to retain persistence in the environment can be well illustrated. Earlier this week, SolarWinds issued an advisory notifying the impact with recommendations to minimize the risk. SolarWinds.Orion.Core.BusinessLayer.dll is a digitally signed Orion software framework component by SolarWinds that includes a backdoor that interacts with third-party servers through HTTP. The malware masks its network traffic as the protocol of the Orion Improvement Program (OIP) and stores recognition results in genuine plugin configuration files that allow it to combine with legitimate activity of SolarWinds. To recognize forensic and anti-virus tools running as processes, utilities, and drivers, the backdoor uses numerous obfuscated blocklists.

The malware was aliased as Solorigate by Microsoft and identification rules were applied to its Defender Antivirus. The actors associated with this campaign gained access to numerous public and private organizations around the world. As immediate mitigation measures, please review the recommendation from Help AG that could be deployed as the first steps to address the risk of Trojanized SolarWinds software in an environment.

RECOMMENDATIONS

• Upgrade the Orion Platform to version 2020.2.1 HF 1 as soon as possible to ensure the protection of your environment.
• Review the official guidelines where organizations are unable to immediately update the SolarWinds environment.
• For infected environments, ensure that the SolarWinds servers are disconnected or contained until further analysis and investigation is carried out. This should include limiting all internet exits from SolarWinds-operated servers.
• Limit the reach of accounts on SolarWinds servers that have a privileged local administrator.
• Limit the connectivity range to SolarWinds server to endpoints, particularly ones that would be considered Tier-0 or Crown Jewel Assets.
• Consider changing passwords for accounts that have connections to servers or infrastructure from SolarWinds.
• Block Internet egress from servers or other endpoints using SolarWinds software.
• For managed networking infrastructure, as a proactive measure, consider performing a review of network device configurations for unexpected or unauthorized modifications.
• Take the appropriate measures to remediate kerberoasting.
• Block the list of indicators of compromise within respective security controls organization wide.

AridViper Bags a New Information-Stealing Trojan PyMICROPSIA

Researchers from Palo Alto Unit42 closely tracked threat group AridViper targeting the Middle Eastern region. A comprehensive report describing a new information-stealing Trojan called PyMICROPSIA that links to the MICROPSIA malware family has recently been published by Unit42 researchers. The report indicates that the actor maintains a very active development profile, creating new implants that attempt to bypass the defense of their targets. During the analysis of PyMICROPSIA capabilities, researchers identified two additional samples hosted in the attacker’s infrastructure that were downloaded and used by PyMICROPSIA during its deployment.

The report includes some key findings that allowed researchers to attribute PyMICROPSIA to prior AridViper behavior. PyMICROPSIA is a Python-built information-stealing Trojan turned into a Windows executable using PyInstaller. By running a loop, it implements the primary functionality, where it initializes various threads and regularly calls multiple tasks in order to collect data and communicate with the C2 operator. To accomplish its purposes, the actor uses many interesting Python libraries, including both built-in Python libraries and special packages. PyMICROPSIA downloads two additional samples that are dropped and executed on the victim’s device during the C2 interactions, running additional functionality. Such payloads are not based on Python or PyInstaller. Instead of natively implementing the keylogging feature, PyMICROPSIA downloads a specific payload.

AridViper is an aggressive threat group that aims to create new tools as a part of its arsenal. PyMICROPSIA demonstrates many overlaps with other current AridViper tools, like MICROPSIA. Several parts of the malware are still not used based on various aspects of PyMICROPSIA that Unit42 analyzed, suggesting that it is possibly a malware family under active development by the actor.

RECOMMENDATIONS

• Apply missing security patches immediately and institutionalize security patching as part of a periodic process.
• Apply the Principle of Least Privilege wherever applicable to all systems and services.
• Establish comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.
• Restrict the right of users to install and run unauthorized software applications (permissions). Do not connect users to the group of local administrators unless necessary.
• Do not open suspicious emails, click on unknown links or attachments. The easiest approach to check a link is by hovering over it with your mouse.
• Make sure to check the file extensions of the files you downloaded. Document files do not use .EXE or .LNK file format.
• Allow a personal firewall, designed to reject unsolicited connection requests, on department workstations.
• Use portable media (for example, USB thumb drives, external drives, CDs) with caution.
• Block the list of indicators of compromise within respective security controls organization wide.

References:

• https://www.vmware.com/security/advisories/VMSA-2020-0027.html
• https://www.thezdi.com/blog/2020/12/8/the-december-2020-security-update-review
• https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
• https://www.solarwinds.com/securityadvisory
• https://cyber.dhs.gov/ed/21-01/
• https://unit42.paloaltonetworks.com/pymicropsia/