Threat advisories

Top Middle East Cyber Threats – 21 February 2022

4 min to read
Top Middle East Cyber Threats – 21 February 2022

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Molerats’ campaign targets Middle Eastern governments with new malware

Molerats is a persistent threat to organizations and governments in the Middle East, routinely updating not only their malware implants, but also their delivery methods. Using malware dubbed NimbleMamba and BrittleBush, their newest campaign used email phishing with URLs that use geofencing to only open the malicious content to Arabic speaking countries and their malware checked for both the IP address and Arabic language pack on the system.

The targeted, news-themed URL lures redirect users to download a RAR file containing NimbleMamba or BrittleBush malwares. The below screenshot is from one such website (https[:]//emaratalyoumcom[.]wordpress[.]com/) impersonating an Arabic language news aggregator.

The attackers used free services for their infrastructure: a Gmail account, Dropbox for payload delivery and API for C2, free WordPress websites and justpaste.it to retrieve NimbleMamba’s configuration. This is a shift from using their own infrastructure which was well-identified in the past and is present in Help AG’s indicators of compromise (IoCs) feed.

The target of the campaign is espionage by exfiltrating gathered intelligence to Dropbox.

RECOMMENDATIONS

  • Ensure all systems are patched and updated.
  • Avoid clicking or opening untrusted or unknown links, files or attachments.
  • Don’t enable macros for unknown MS Office files.
  • Enable software restriction policies and application whitelisting.
  • Ensure that the email server is configured to block any suspicious attached files.
  • Enforce the Restricted PowerShell script execution policy for end users.
  • Monitor your network for abnormal behaviour and shared indicators of compromise (IoCs).
  • Block the IoCs within respective security controls organization wide.
  • Ensure frequent backups are in place.
  • Educate employees about detecting and reporting phishing/suspicious emails.

OilRig utilizes a new backdoor dubbed Marlin

OilRig, also known as APT34, Lyceum, and Siamesekitten, is a cyberespionage group that has been active since 2014.

The threat actor has refreshed their malware toolset to include a new backdoor dubbed Marlin as part of a long-running espionage campaign.

Victims of the campaign include diplomatic organizations, technology companies, and medical organizations in Israel, Tunisia, and the United Arab Emirates.

RECOMMENDATIONS

  • Ensure all systems are patched and updated.
  • Avoid clicking or opening untrusted or unknown links, files or attachments.
  • Don’t enable macros for unknown MS Office files.
  • Enable software restriction policies and application whitelisting.
  • Ensure that the email server is configured to block any suspicious attached files.
  • Enforce the Restricted PowerShell script execution policy for end users.
  • Monitor your network for abnormal behaviour and shared indicators of compromise (IoCs).
  • Block the IoCs within respective security controls organization wide.
  • Ensure frequent backups are in place.
  • Educate employees about detecting and reporting phishing/suspicious emails.

Microsoft releases security updates for February 2022

Microsoft has released security patches for February 2022 addressing approximately 50 CVEs. The 50-odd total does not include the 19 Chromium patches for the Microsoft Edge browser, which were also released this month. As summarized in Microsoft’s “Release Notes,” affected software include the usual suspects such as Windows and Office applications. Notably, the Windows Print Spooler is being patched once more this month, as it has been every month since the discovery of so called “PrintNightmare” vulnerabilities last year.

The following is a comprehensive list of important vulnerabilities:

Four elevated-privilege Print Spooler vulnerabilities are also being patched this month: CVE-2022-21999, CVE-2022-21997, CVE-2022-22718, and CVE-2022-22717. Except for one patch rated “Moderate,” all the patches address “Important” issues. One CVE was publicly known prior to Microsoft’s announcement on February 8. It is an elevation-of-privilege vulnerability in Windows kernels (CVE-2022-21989) that takes advantage of a flaw in how objects are handled in memory.

Even though there are no Critical fixes this month, there are patches for 18 remote code execution vulnerabilities, which are popular among attackers.

RECOMMENDATIONS

Google Chrome addresses zero-day vulnerability – CVE-2022-0609

Google introduced Chrome 98.0.4758.102 for Mac, Windows, and Linux systems to address a high severity zero-day vulnerability.

Google is aware of the possibility that a CVE-2022-0609 exploit exists in the wild. The same was confirmed by Google in a security advisory issued on February 15.

The CVE-2022-0609 zero-day bug, which was fixed on February 15, is described as a “Use after free in Animation” and has been assigned a high severity rating. Attackers frequently take advantage of use after free bugs to execute arbitrary code on computers running unpatched Chrome versions or to bypass the browser’s security sandbox.

Moreover, Eleven security fixes have been included in this update.

RECOMMENDATIONS

References:

Share this article