Top Middle East Cyber Threats – 2 August 2021
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
Oracle Patch Updates – July 2021
Oracle has released its Critical Patch Update (CPU) for July 2021, the year’s third quarterly update. This CPU update includes fixes for 231 disclosed vulnerabilities as part of 342 security updates distributed across 26 Oracle product families. Some of the vulnerabilities listed could allow an unauthenticated attacker with network access via T3, Internet Inter-ORB Protocol (IIOP), to compromise a vulnerable server. A successful exploitation can result in a server takeover. Multiple Oracle WebLogic Server vulnerabilities stand out because they can be exploited remotely without necessitating any authentication.
Vulnerabilities with significant impact include CVE-2021-2382, CVE-2021-2394, CVE-2021-2397, CVE-2021-2376, CVE-2021-2378 and CVE-2021-2403.
Three of the six vulnerabilities in WebLogic Server were assigned a CVSSv3 score of 9.8 out of 10, indicating that they are critical. According to advisory from Oracle, CVE-2021-2397 also addresses CVE-2020-14756, a critical WebLogic Server vulnerability that was originally patched as part of the January 2021 Critical Patch Update.
- Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plugins, and document readers.
- Please refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
- Help AG encourages users and administrators to review the official notification and “Risk Matrices” for more details and apply the necessary patches as soon as possible.
- Help AG strongly recommends organizations that use Hyperion Infrastructure Technology should install the latest patch as soon as possible.
LockBit ransomware now encrypts Windows domains using group policies
A new version of the LockBit 2.0 ransomware has been found with many advanced features. Of these new features, using domain group policy by LockBit 2.0 stands out from the rest of Ransomware as a service operation.
Usually in ransomware operations, when cyber criminals breach a network and finally gain control of the domain controller, they utilize third-party software to deploy scripts that disable antivirus and then execute the ransomware on the machines on the network. However, LockBit 2.0 automates the encryption of a Windows domain using Active Directory group policies.
When executed, the ransomware will create new group policies on the domain controller that are then pushed out to every device on the network. These policies disable Microsoft Defender’s real-time protection, alerts, submitting samples to Microsoft, and default actions when detecting malicious files
Other group policies are created, including one to create a scheduled task on Windows devices that launch the ransomware executable.
The ransomware will push group policy update to all of the machines in the Windows domain, use Windows Active Directory APIs to perform LDAP queries against the domain controller’s ADS to get a list of computers and then Using this list, the ransomware executable will be copied to each device’s desktop and the scheduled task configured by group policies will launch the ransomware using DisplayCalibrator UAC bypass to run silently in the background.
By doing this, LockBit 2.0 makes it easier and less time consuming for cyber criminals perusing big game hunting ransomware operations.
- Enable tamper protection on endpoint and EDR solutions, this prevents the killing of the service by using ELAM driver and/or running as protected/critical process.
- Keep your systems and security solutions database up to date.
- Invest in user awareness not to engage unsolicited attachments or links sent in email.
Chrome Zero Day exploited in the wild
Google released an update to fix 8 vulnerabilities. Seven of them are memory corruption/memory manipulation vulnerabilities and one of them is a zero day currently being exploited in the wild.
A remote attacker could exploit the vulnerability by duping an unwitting victim into visiting a specially crafted website that they created, triggering the type confusion error, after which they could execute arbitrary code on the affected system. The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) classified the vulnerabilities as extremely high risk.
- Prioritize timely patch of affected systems.
- Raise user awareness not to open unsolicited links sent to them.
- Apply the Principle of Least Privilege to all systems and services.