Top Middle East Cyber Threats – 21 February 2023

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.  

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:  

Malware Campaign WIP26 Targets Telcos in the Middle East 

Researchers have detected a new campaign called WIP26 targeting telecommunication providers in the Middle East. The threat actor has targeted public cloud infrastructure such as Microsoft 365 Mail, Microsoft Azure, Google Firebase, and Dropbox, and has evaded detection by making malicious traffic look legitimate. The initial intrusion vector was through WhatsApp messages containing Dropbox links that were linked to a malware loader, and once clicked, it led to the deployment of backdoors. The backdoors, dubbed as CMD365 and CMDEmber, have abused Microsoft 365 Mail and Google Firebase services for C2 purposes.  

RECOMMENDATIONS: 

• Ensure all systems are patched and updated.   
• Avoid clicking or opening untrusted or unknown links, files, or attachments.   
• Don’t allow Macros for unknown MS Office files.  
• Enable software restriction policies and application whitelisting.   
• Ensure that email server is configured to block any suspicious attached files.   
• Enforce the Restricted PowerShell script execution policy for end users.   
• Monitor your network for abnormal behaviour and shared IoCs.   
• Ensure frequent backups are in place.   
• Educate employees about detecting and reporting phishing / suspicious emails 

Google Chrome Fixes Multiple Vulnerabilities 

Google has published a security update to address multiple vulnerabilities in Chrome browser that are now fixed in Chrome’s latest version (110.0.5481.77/.78 for Windows, 110.0.5481.77 for Mac and Linux). 

The update includes 15 security fixes, 10 of which were contributed by external researchers. 3 are classified as ‘High’, 5 as ‘Medium’ and 2 as ‘Low’ in risk level. 

RECOMMENDATIONS 

• Ensure all systems are patched and updated.     

Apple Fixes Zero-Day Flaw  

Apple has rolled out security updates for iOS, iPadOS, macOS, and Safari to address a zero-day flaw that has been actively exploited in the wild. 

Tracked as CVE-2023-23529, the issue was related to a type confusion bug in the WebKit browser engine that could be activated when processing maliciously crafted web content, resulting in arbitrary code execution. 

RECOMMENDATIONS 

• Ensure all systems are patched and updated. 

Microsoft Releases Security Patches  

Microsoft has fixed 75 vulnerabilities in the February 2023 update addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; .NET Core and Visual Studio Code, 3D Builder, Azure Service Fabric Container, Windows BitLocker, Windows Defender, Windows Print Spooler Components, and Microsoft Exchange Server. 

From the 75 patches released, 9 are rated as ‘Critical’ and 66 are rated ‘Important’ in severity. 

None of the CVEs released are listed as publicly known, but there are three bugs as listed below that were exploited in the wild at the time of release: 

• CVE-2023-21715 (CVSS score: 7.3) – Microsoft Office Security Feature Bypass Vulnerability 

• CVE-2023-21823 (CVSS score: 7.8) – Windows Graphics Component Elevation of Privilege Vulnerability 
• CVE-2023-23376 (CVSS score: 7.8) – Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability 

Successful exploitation of the above flaws could enable an adversary to bypass Office macro policies that are used to block untrusted/malicious files and gain system privileges. 

RECOMMENDATIONS 

• Ensure all systems are patched and updated.   

Mirai Variant V3G4 Targets IoT Devices 

From July to December 2022, Unit 42 researchers have observed a Mirai variant called V3G4, which leveraged several vulnerabilities to spread. The vulnerabilities exploited include the following: 

• CVE-2012-4869: FreePBX Elastix Remote Command Execution Vulnerability 
• Gitorious Remote Command Execution Vulnerability 
• CVE-2014-9727: FRITZ!Box Webcam Remote Command Execution Vulnerability 
• Mitel AWC Remote Command Execution Vulnerability 
• CVE-2017-5173: Geutebruck IP Cameras Remote Command Execution Vulnerability 
• CVE-2019-15107: Webmin Command Injection Vulnerability 
• Spree Commerce Arbitrary Command Execution Vulnerability 
• FLIR Thermal Camera Remote Command Execution Vulnerability 
• CVE-2020-8515: DrayTek Vigor Remote Command Execution Vulnerability 
• CVE-2020-15415: DrayTek Vigor Remote Command Injection Vulnerability 
• CVE-2022-36267: Airspan AirSpot Remote Command Execution Vulnerability 
• CVE-2022-26134: Atlassian Confluence Remote Code Execution Vulnerability 
• CVE-2022-4257: C-Data Web Management System Command Injection Vulnerability  

Once the devices are compromised, they are fully controlled by attackers, becoming a part of the botnet. The threat actor has the capability to utilize these devices to execute further attacks, such as distributed denial-of-service (DDoS) attacks. 

RECOMMENDATIONS 

• Ensure all systems are patched and updated.   
• Avoid clicking or opening untrusted or unknown links, files, or attachments.   
• Don’t allow Macros for unknown MS Office files.  
• Enable software restriction policies and application whitelisting.   
• Ensure that email server is configured to block any suspicious attached files.   
• Enforce the Restricted PowerShell script execution policy for end users.   
• Monitor your network for abnormal behaviour and shared IoCs.   
• Ensure frequent backups are in place.   
• Educate employees about detecting and reporting phishing / suspicious emails 

Fortinet Fixes Critical RCE Flaws in FortiNAC and FortiWeb 

Fortinet has released security updates for its FortiNAC and FortiWeb products, addressing two critical-severity vulnerabilities that may allow unauthenticated attackers to perform arbitrary code or command execution.  

The first flaw, impacting FortiNAC is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8 (Critical). The second vulnerability impacting FortiWeb is CVE-2021-42756, which has a CVSS v3 score of 9.3 (Critical). 

CVE-2022-39952 is fixed in FortiNAC 9.4.1, 9.2.6, 9.1.8 and 7.2.0. 

CVE-2021-42756 is fixed in FortiWeb 7.0.0, 6.3.17, 6.2.7, 6.1.3 and 6 .0.8. 

RECOMMENDATIONS 

• Ensure all systems are patched and updated.   

References: 

• https://thehackernews.com/2023/02/patch-now-apples-ios-ipados-macos-and.html  
• https://chromereleases.googleblog.com/2023/02/stable-channel-update-for-desktop.html  
• https://www.zerodayinitiative.com/blog/2023/2/14/the-february-2023-security-update-overview  
• https://unit42.paloaltonetworks.com/mirai-variant-v3g4/  
• https://www.fortiguard.com/psirt/FG-IR-22-300  
• https://www.fortiguard.com/psirt/FG-IR-21-186