Threat advisories

Top Middle East Cyber Threats – 19 May 2020

May-2020 3 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
Microsoft Security Updates
Microsoft recently issued its monthly security update, disclosing vulnerabilities across many of its products and releasing appropriate updates. The update this month fixes 111 vulnerabilities. Sixteen of the flaws disclosed by Microsoft are deemed critical. There are also 95 “important” vulnerabilities and six vulnerabilities each of which are low and moderate in severity.
The security updates this month also cover security issues across a range of Microsoft services and software, including SharePoint, Media Foundation, and Chakra scripting engine.
Recommendations

Users and administrators should review the May 2020 Release Notes and Deployment Information for more details and apply the necessary patches as soon as possible.
Keep SharePoint up to date by installing Cumulative Updates every month. Install security hotfixes ASAP after release.

REvil Ransomware Updates Version 2.2
The operation of REvil ransomware-as-a-service (RaaS) continues to affect organizations around the globe. The threat actors who are responsible for the malware development and maintenance released an updated ransomware, namely version 2.2.
One of the significant new features of REvil version 2.2 is the use of the Windows Restart Manager to end processes and services that can lock encryption-driven files. REvil developers have introduced a technique that is also used by other malware such as SamSam and LockerGoga, using the Windows Restart Manager. REvil ransomware opens non-sharing encryption files (dwShareMode equals 0). As a consequence, when a sharing violation occurs, the Restart Manager is invoked while accessing an already opened file.
Because of source code and similarities in actions between REvil and GandCrab, it was suggested that there may be a link between the developers of the two ransomware families. Besides the similarities in the code, additional proof linking GandCrab and REvil together is that GandGrab officially “retired” in the wild just before REvil emerged. REvil is constantly managed and under constant evolution, just as GandCrab was.
Recommendations

Block the indicators of compromise identified during different stages of analysis.
Update operating systems and applications with the latest patches.
Don’t click on links in unsolicited emails, or open attachments.
Follow safe practices when browsing the Internet.

WebLogic Servers Under Attack Again
Help AG recently spotted a proof of concept earlier this year about a deserialization vulnerability in the Oracle WebLogic Server. Oracle patched this and assigned CVE-2020-2555 to it. Researchers however found a bug and demonstrated how the patch could be bypassed. Oracle is now recording this bug, named CVE-2020-2883, as being used in the active attacks.
Oracle has released a blog post, warning users that a previously disclosed Oracle WebLogic Server remote code execution vulnerability (CVE-2020-2883) is being exploited in the wild. Oracle disclosed the vulnerability in its April 2020 critical patch update and provided software patches; however, malicious cyber actors are now known to be targetting unpatched servers.
Recommendations

Users and administrators should review the Oracle Blog and the April 2020 critical patch updates for more details and apply the necessary patches as soon as possible.
Users and administrators should review Oracle’s advice on how to limit WebLogic Server T3 / T3S protocol traffic.
Identify supporting detection rules to minimize the scope for abuse of this vulnerability.

References