Threat advisories

TOP MIDDLE EAST CYBER THREATS- 2 AUGUST 2018

Aug-2018 4 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cyber security threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top cyber security threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

1) Leafminer- A Middle East Based Cyber Espionage Group

Our vendor partner Symantec has uncovered a new espionage campaign specifically targeting the Middle East. The ‘LeafMiner’ Group has been in operation since at least early 2017 and appears to be based in Iran. Information of interest to these attackers appears to be email data, files, and database servers and the most targeted sectors are Financial, Government, Petrochemical and Shipping/Transportation.
Attack Description:
Leafminer threat actors use the following intrusion techniques to infiltrate their target networks:

Watering hole websites – JavaScript code embedded on compromised websites, used to steal SMB credential hashes of visiting users
Vulnerability scans of network services on the internet – Vulnerabilities which can be exploited to gain access to systems
Brute-force/dictionary login attempts
Email phishing with malicious attachment files

After successful infiltration, the attackers use various publicly available tools/exploits for persistence, lateral movement, information gathering, and exfiltration. They have also developed custom malware that includes Backdoor.Sorgu to provide remote access to infected machines and Trojan.Imecab to set up persistent remote access accounts on target machines with a hardcoded password.
Recommendations:

Implement a complex password policy and/or use 2-factor authentication.
Discourage employees from reusing the same passwords across various accounts.
Limit the provision of admin privilege access to end-users’ machines.
Restrict users’ ability (permissions) to install and run software and applications.
Regularly update firewalls, WAF, antivirus, IDS/IPS, and proxy solutions across the network.
Use encryption for communication as well as storage of data.
Block SMB traffic to/from the internet on perimeter devices.
Scan all software downloaded from the Internet prior to executing.
Ensure proper controls are in place to scan inbound emails such as usage of sandbox technology to scan incoming emails.
Educate users regarding spear-phishing mails.
Educate users to avoid opening attachments from untrusted sources and report any suspicious emails to IT Security.
Keep operating system patches up-to-date.
Ensure all software updates are pushed from an authorized server (SCCM).

2) No Summer Holiday from Cyber Hacking Groups

The infamous Russia-linked hacking group, APT28 (AKA Fancy Bear), is suspected to be behind a new cyber-espionage campaign targeting specific organizations, including the Italian Military corp (Marina Militare) and its subcontractors. The campaign has been dubbed “Roman Holiday” by researchers from Z-Lab who discovered the attacks. These researchers have been working on the malware samples spotted in the wild and have uploaded these to VirusTotal after analysis.
Attack Description:
The attack appears to be a multi-stage campaign, where an initial dropper malware written in Delphi programming downloads a second stage payload from internet and executes it. The payload communicates with the server using HTTPS protocol, making it impossible to eavesdrop on the malicious traffic it generates. During analysis, researchers found that, the malware connects to a Command and Control (C&C) server with name “marina-info[.]net”, a clear reference to the Italian Military corp. The DLL connecting to marina-info[.]net is the last stage of the malware that is triggered only when particular conditions occur. The following four executables were used as infection vectors in the campaign:
87bffb0370c9e14ed5d01d6cc0747cb30a544a71345ea68ef235320378f582ef.exe
15486216ab9c8b474fe8a773fc46bb37a19c6af47d5bd50f5670cd9950a7207c.exe
e7dd9678b0a1c4881e80230ac716b21a41757648d71c538417755521438576f6.exe
e53bd956c4ef79d54b4860e74c68e6d93a49008034afb42b092ea19344309914.exe
Two files were extracted from the samples, a classic “.lnk” file which is a hidden command and a “jpg” file which is an executable. Once the jpg is executed, it contacts the C&C IP ‘45.124.132.127’, based in Hong Kong, sending information periodically gathered from the infected system through HTTPS using a POST method. Once the malware sends information about the host configuration to the C&C, it downloads another file, “upnphost.exe” which is the final payload. Furthermore, this file was found to contact another C&C IP ‘46.183.218.37’, located in Latvia.
Three different C&Cs were found to be used in the campaign with two in Europe and one in China. This was to mislead analysts and create confusion during the investigation of this cyber-attack.
Recommendations:

Educate users to avoid opening attachments from untrusted sources and report any suspicious emails to IT Security.
Limit the provision of admin privilege access on end-users’ machines
Restrict users’ ability (permissions) to install and run unwanted software and applications.
Scan all software downloaded from the Internet prior to executing.
Ensure proper controls are in place to scan inbound emails such as use of sandbox technology to scan incoming emails
Review mail security and gateway blocking effectiveness
Ensure AV at endpoints is being properly updated and check to ensure it has the latest signatures for all the hashes.
Ensure all software updates are pushed from an authorized server (SCCM).
Keep operating system patches up-to-date.

As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.
Blog By:
Shaikh Azhar, Cyber Security Analyst at Help AG