TOP MIDDLE EAST CYBER THREATS- 19 JULY 2018

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cyber security threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top three cyber security threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

1) The Big Bang Theory

Security researchers have found that organizations across the Middle East, specifically in Palestine, are being targeted by a cyber espionage Advanced Persistent Threat (APT) group in a new campaign named after the popular TV comedy series “The Big Bang Theory”. According to Check Point, who discovered the new campaign, traces of the campaign indicate some resemblance to attacks launched by the Gaza APT group, previously found targeting Middle Eastern victims, using the Micropsia malware. The main target of this campaign appears to be the Palestinian Authority, the governing body of the emerging Palestinian autonomous regions of the West Bank and Gaza Strip.
Attack Description:
The infection chain begins with a phishing email that contains a malicious document that is disguised to look like it is coming from the Palestinian Political and National Guidance Committee. The malicious attachment is an executable which is actually a self-extracting archive, containing a decoy document and the malware itself. To give the file a legitimate look, the developers pin it to a Word icon, giving it a name which is familiar to the victim.
When this file is double clicked, it opens a Word document with the logo of the Palestinian Political and National Guidance Commission. This document appears to be a press report and contains news headlines that are copied from various Palestinian news websites.
While the victim is distracted with the legitimate looking Word document, an additional executable which is archived alongside the decoy document is installed in the background. This malware can take screenshots of the infected system and send them to the C&C server, and can also steal documents, PDFs, PPTs, Excel files and more. It can also extract system logging details, reboot systems and self-destruct.
As per researchers, the naming convention and content of the file indicates the attackers’ familiarity with the nature of the victim. Some of the malware’s modules have been named after popular characters of the Big Bang Theory TV show:

• Penny – Takes a screenshot of the infected machine and sends it to the C&C server
• Wolowitz_Helberg – Enumerates running processes, saving their names and their IDs
• Koothrappali – Logs details about the system and sends them to the server
• Hofstadter – Terminates a process by name
• Parsons_Sheldon – Deletes the payload from the startup folder and deletes the actual file

 Recommendation:

• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Educate users on social engineering, phishing and spear phishing techniques. Unexpected emails should not be opened but rather reported to IT security.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Disable unnecessary services on agency workstations and servers.
• Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media such as USB drives, external drives, and CDs.
• Scan all software downloaded from the internet prior to execution.
• Ensure AV at endpoints is being properly updated and it is worth checking to ensure the AV has signatures for all the known bad hashes.
• Ensure proper controls are in place to scan inbound emails such as usage of sandbox technology.
• Keep operating system patches up-to-date.

2) PLAINTEE to Worry About

In recent weeks, we have also become aware of a new cyber espionage campaign that mainly uses two malware families- DDKONG and PLAINTEE.
Attack Description:
Attackers are using spear phishing messages and decoy documents containing details taken from public news articles on news and events. The malware comes with three functionalities:

• Delivery via Microsoft Office Excel file with an embedded macro to launch malware.
• Delivery via an HTML application file.
• Delivery via DLL loaders.

Recommendations:

• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Update the antivirus/endpoint protection solution and ensure operating system patches are up to date.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known. Scan for and remove suspicious email attachments via a mail gateway solution.
• Change the default handler for “.hta” files so that they cannot be directly executed.
• Inform users to avoid the following domains:
  • microsoft[.]authorizeddns[.]us
  • goole[.]authorizeddns[.]us
  • www[.]microsoft.https443[.]org
  • ftp[.]chinhphu.ddns[.]ms
  • www[.]google_ssl.onmypc[.]org
  • msdns[.]otzo[.]com
  • goole[.]authorizeddns[.]us
  • www[.]facebook-apps[.]com
  • dlj40s[.]jdanief[.]xyz

3) Hide ‘N Seek Botnet Emerges

IoT devices, particularly IP cameras, across the world are being targeted by a new botnet. Dubbed Hide ‘N Seek (HNS), the botnet was discovered by Bitdefender and first appeared on January 10^th, died off for a few days, and came back stronger by January 20^th.
HNS doesn’t use C&C servers, implementing a peer-to-peer network instead. According to security researchers, each bot contains a list of IPs of other infected bots which can be updated as the botnet grows and bots are lost or gained. The HNS botnet borrows code from Mirai botnet and can execute several types of commands, such as data exfiltration, code execution and interference with a device’s operation. Since its launch, the botnet has grown from an initial list of 12 compromised devices to over 14,000 bots spreading all the way from Asia to the United States.
Researchers have noted that like most IoT botnets, HNS cannot establish persistence on infected devices. With a simple device reboot, the malware can be automatically removed from the compromised device.
Attack Description:
The bot features a worm-like spreading mechanism that randomly generates a list of IP addresses to get potential targets. It then initiates a raw socket SYN connection to each host in the list and continues communication with those that answer the request on specific destination ports (23, 2323, 80, 8080,2480,5984). Once the connection has been established, the bot looks for a specific banner (“buildroot login:”) presented by the victim. If it gets this login banner, it attempts to log in with a set of predefined credentials. If that fails, the botnet attempts a dictionary attack using a hardcoded list.
Once a session is established with a new victim, the sample will run through a “state machine” to properly identify the target device and select the most suitable compromise method. For example, If the victim is connected to the same LAN as the bot, the bot sets up TFTP server to allow the victim to download the sample from the bot. If instead the victim is only accessible via the internet, the bot will attempt a specific remote payload delivery method to get the victim to download and run the malware sample. These exploitation techniques are preconfigured and are in a memory location that is digitally signed to prevent tampering. This list can be updated remotely and propagated among infected hosts. Once a device is infected, the malware can take control of it and use commands to do as it wishes.
The Hide ‘N Seek botnet exploits:

• The CVE-2016-10401 flaw, and other vulnerabilities to propagate malicious code and steal user data
• By scanning the Internet for fixed TCP port 80/8080/2480/5984/23 and other random ports
• Cross-platform database solutions and is currently the first IoT malware that implements a persistence mechanism to keep devices infected after reboots

The Hide ‘N Seek (HNS) botnet targets the following types of devices using its exploits:

• TPLink-Routers RCE
• Netgear RCE
• AVTECH RCE
• CISCO Linksys Router RCE
• JAW/1.0 RCE
• OrientDB RCE
• CouchDB RCE

Recommendations:

• Keep operating systems and software up-to-date with the latest patches, ensuring only authorized software and firmware updates.
• Default passwords of devices should be replaced with strong passwords, which makes it more difficult for botnets to access the devices’
• Restrict remote access to the IoT Devices, and if this is absolutely necessary, implement strong device authentication.
• Enforce strong authentication for administrative users and services.
• Monitor network performance and activity, so that irregular network behavior is apparent.
• Ensure AV at endpoints is being properly updated and it is worth checking to ensure the AV has signatures for all the known bad hashes.
• Educate users on social engineering, and phishing and spear phishing techniques. Unexpected emails should not be opened but rather reported to IT security.
• Ensure proper controls are in place to scan inbound emails such as usage of sandbox technology.
• Maintain up-to-date antivirus/anti-bot software, and scan all software downloaded from the internet before executing.

As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.
Blog By:
 Shaikh Azhar, Cyber Security Analyst at Help AG