Threat advisories

Top Middle East Cyber Threats – 16 June 2020

Jun-2020 4 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Microsoft Security Updates- June 2020

Microsoft patched 129 vulnerabilities as part of its June updates this Tuesday. This is the first time in a single month this technology giant has fixed such high number of CVEs. In the recent updates Microsoft patched 11 critical Windows, SharePoint Server, Windows Shell, VBScript and other products for remote code execution vulnerabilities amongst the 129 security updates.

Most concerning within the group is a trio of vulnerabilities in the Windows file-sharing technology (CVE-2020-1206, CVE-2020-1284 and CVE-2020-1301). Help AG on March 11, 2020 released a security advisory for patching CVE-2020-0796 a “wormable” remote code execution flaw in SMBv3. Recently, CISA issued a security advisory highlighting unpatched Microsoft Systems vulnerable to CVE-2020-0796 being widely targeted by threat actors.CVE-2020-0796 does not require the attacker to be authenticated to the target ‘s network, unlike the critical SMB bugs this month.

Recommendations

Review the June 2020 Release Notes and Deployment Information for more details and apply the necessary patches as soon as possible.
Refer to the security advisory shared by CISA (US-CERT) from the reference section and apply necessary patches wherever applicable.

GuLoader- Malware delivered via cloud now

Network dropper known as GuLoader, is very active this year and is being used with cloud services such as Google Drive or One Drive to deliver malware. One of the fastest growing trends in 2020 is the delivery of malware through cloud drives. GuLoader has gained popularity since it was first detected in December 2019 and was soon actively used by multiple threat actors. There is a new service behind GuLoader which aims to replace traditional packers and crypters.

Manual analysis of the GuLoader samples indicated that the payload was embedded in the sample itself. Such samples appear to be related to DarkEyE Protector.

DarkEyE can be used as a crypter with various malware, such as stealers, keyloggers and RATs (remote access trojans), making them completely undetectable for antivirus. Evidently this software was developed to protect malwares from discovery by various antivirus engines.

A company that sells its product CloudEyE pretends to be legit is connected to DarkEyE. The official website shows that CloudEyE is a software designed to defend Windows application against cracking, tampering, debugging, disassembling, dumping. According to the report, users of CloudEyE used the name “Coronavirus” blatantly as a way of deceiving and misleading victims, using fear and desire for pandemic information to infect people with malware.

Even though it looks legit, services provided by CloudEyE has been a unifying factor in several attacks over the past year. Several CloudEyE customers are threat actors who leverage publicly available malware or leaked hacking tools to steal the victim’s passwords, credentials, private information and gain control of the victim’s environment.

Recommendations

Block the indicators of compromise, identified during different stages of analysis.
Update operating systems and applications with the latest patches.
Antivirus administrators should monitor and update antivirus updates periodically with the latest signatures.

Iranian Chafer APT targets Kuwait and Saudi Arabia

Researchers have uncovered new cybercrime campaigns from the APT group known as the Chafer (also known as APT39 or Remix Kitten). Several air transport and government victims were hit by the attacks with hopes of data exfiltration. The Chafer APT has been involved since 2014 and has previously conducted cyber espionage campaigns that attack critical infrastructure in the Middle East. A FireEye report last year highlighted Chafer’s increasing emphasis on the telecommunications and travel industries.

The campaigns used a wide array of custom-built tools and the tactics of “living off the land.” Living off the land tools are features that already exist in the target environment and attackers abuse to help them achieve persistence.

Victims of the campaigns examined from the latest study fall into this actor’s preferred theme such as Middle East aviation and government sectors. Although the modus operandi behind the attacks on firms in Kuwait and Saudi Arabia shared “some common patterns”, researchers observed that the attacks on Kuwaiti victims were more sophisticated as attackers were able to commute laterally across the network. On the other hand, the attack on a Saudi Arabian organization involved using social engineering to trick the victim into running a remote administration tool (RAT), with some of its components sharing similarities with those used against Kuwait and Turkey.

Experts stressed that critical infrastructures such as government and air transport remain very sensitive targets as they look at the pattern of these latest Middle East attacks.

Recommendations

Block the indicators of compromise (attached) identified during different stages of analysis.
Update operating systems and applications with the latest patches. Most attacks are aimed at obsolete software and operating systems.
Help AG recommends users to never click on links in unsolicited emails, or open attachments.
Follow safe practices when browsing the Internet.

References