Threat advisories

Top Middle East Cyber Threats – 19 September 2022

Sep-2022 5 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Microsoft fixes multiple vulnerabilities including Zero-Day

Microsoft published a security update to address multiple vulnerabilities as part of its Patch Tuesday updates.
The update includes 64 security fixes out of which 5 are rated Critical, 57 are rated Important, 1 is rated Moderate, and 1 is rated Low in severity. This is in addition to the 15 CVEs patched in Microsoft Edge (Chromium-based) and one patch for side-channel speculation in Arm processors bringing the total number of CVEs to 79. This includes two publicly disclosed zero-day vulnerabilities – one of them (CVE-2022-37969) has been actively exploited in the wild. CVE-2022-37969 is a privilege escalation flaw affecting the Windows Common Log File System (CLFS) Driver, that could be leveraged by an attacker to gain system privileges on an already compromised asset.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Chinese hackers use PlugX malware to target Europe, South America, and the Middle East

A Chinese hacking group ‘Bronze President’ has been attributed to a new campaign aimed at infecting government officials in Europe, the Middle East, and South America with a modular malware known as PlugX.

PlugX contacts a command and control (C2) server for tasking and can download additional plug-ins to enhance its capability beyond basic information gathering. Attack involves delivering RAR archive files containing a Windows shortcut (.LNK) file masquerading as a PDF document. When the user clicks on the LNK file, PlugX is loaded, decrypted and execution of the payload takes place. Further, a decoy document is dropped and the PlugX payload establishes persistence on the infected host. Intrusions have been identified in June and July 2022, using documents that spoof official diplomatic notices to lure in victims.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and indicators of compromise (IoCs).
Ensure frequent backups are in place.
Block the IoCs within respective security controls organization wide.
Educate employees about detecting and reporting phishing / suspicious emails.

Apple patches actively exploit Zero-Day flaw

Apple published a security update to address five security issues including vulnerabilities in its iPhone, iPad and Mac operating systems that are already being exploited.

The most notable vulnerability reported was CVE-2022-32917, which is rooted in the Kernel component and could enable a malicious app to execute arbitrary code with kernel privileges and is being actively exploited. Apart from this, Apple has fixed 10 security issues in iOS 16, spanning Contacts, Kernel Maps, MediaLibrary, Safari, and WebKit.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Iranian cyber espionage group ‘APT42’ targets Iranian opposition

An Iran-backed cyber espionage group known as APT42 is targeting individuals and organizations of particular interest to the Iranian government.

APT42 is a well-resourced APT group aligned with Iran’s Revolutionary Guard Corps Intelligence Organization (IRGC-IO) actively since 2015. The group uses phishing and social engineering to build trust and rapport with victims with the goal of collecting intelligence and stealing personal information and credentials.

They send shortened links or a PDF containing buttons leading to credential harvesting pages also capable of intercepting MFA codes. In many cases, they deploy a custom Android malware strain with abilities to track victims, access the device’s storage, and extract communication data.

As part of APT42’s activity, victims were targeted across at least 14 countries, including UK, Australia, Israel and the UAE. In February 2022, the group impersonated a British news agency to target political science professors in Belgium and the UAE.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and indicators of compromise (IoCs).
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

New stealthy malware known as Shikitega targets Linux

A new malware called Shikitega, targeting endpoints and IoT devices that are running Linux operating systems, has been discovered. Shikitega is delivered in a multistage infection chain where the “Shikata Ga Nai” polymorphic XOR additive feedback encoder of Metasploit is used which helps each module to respond to a part of the payload and download and execute the next one.

The attack is carried out by downloading and executing ‘Mettle’, a Metasploit meterpreter that allows the attacker to use a wide range of attacks from webcam control, sniffer, multiple reverse shells (tcp/http..), process control, execute shell commands and more. Next, a small ELF file is downloaded and executed. Then the attacker exploits system vulnerabilities to gain high privileges and even full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist. The malware also abuses legitimate cloud services to store some of its command and control servers (C&C).

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and indicators of compromise (IoCs).
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.
Block the IoCs within respective security controls organization wide.

References: