Threat advisories

Top Middle East Cyber Threats – 22 August 2022

Aug-2022 6 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

VMware fixes critical authentication bypass vulnerability

A critical authentication bypass security flaw in VMware has been discovered. The vulnerability tracked as CVE-2022-31656, impacts local domain users in multiple products including Workspace ONE Access, Identity Manager, and vRealize Automation. An unauthenticated attacker can exploit the vulnerability to gain admin privileges. The vulnerability has been rated as critical with a CVSS v3 base score of 9.8.

VMware also patched multiple other security bugs enabling attackers to gain remote code execution and escalate privileges to ‘root’ on unpatched servers.

RECOMMENDATIONS

Ensure all systems are patched and updated.
A workaround for CVE-2022-22972 is available, though patching is recommended.

New Woody RAT Malware Spotted in the Wild

A newly discovered remote access trojan called Woody RAT has been discovered in the wild, active for at least a year as part of a spear-phishing campaign. It is being delivered via two methods: archive files and Microsoft Office documents leveraging the now-patched “Follina” vulnerability in Windows.

Woody RAT has a wide range of features that enable the threat actor to remotely access and steal sensitive information from the infected systems. It can write arbitrary files to the machine, execute additional malware, delete files, enumerate directories, capture screenshots, and gather a list of running processes.

The technique to be noted here is that the malware makes use of the process hollowing technique to inject itself into a suspended Notepad process and deletes itself from the disk to evade detection from security software installed on the compromised host.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and indicators of compromise (IoCs).
Block the IoCs within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

LockBit 3.0 Ransomware abuses Windows Defender to load Cobalt Strike

LockBit 3.0 ransomware-as-a-service (RaaS) operation has been observed abusing the Windows Defender command-line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads. The attack is carried out by initially compromising the target networks by exploiting the Log4j vulnerability. After gaining access to the target system, a series of enumeration commands are performed and multiple post-exploitation tools are run, including Meterpreter, PowerShell Empire and also a new technique to side-load Cobalt Strike.

Furthermore, the use of living-off-the-land (LotL) techniques by attackers, wherein legitimate software and functions available in the system are used for post-exploitation, has been seen on the rise as an attempt to evade detection by security software.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and indicators of compromise (IoCs).
Block the IoCs within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Multiple vulnerabilities in Exim could allow for Remote Code Execution

Multiple vulnerabilities have been discovered in Exim. Exim is a mail transfer agent used to deploy mail servers on Unix-like systems and Exim versions prior to 4.96 which are vulnerable.

Successful exploitation of the most severe of these vulnerabilities can enable the attacker to perform command execution as root in the context of the mail server. One of the vulnerabilities is a heap-based buffer overflow for the alias list and other one is an invalid free.

Proof of concept code is available for CVE-2022-37451 and CVE-2022-37452.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Microsoft fixes multiple vulnerabilities including a Zero-Day vulnerability

Microsoft published a security update to address multiple vulnerabilities as part of its Patch Tuesday updates. The update includes 121 security fixes which also includes a fix for a Support Diagnostic Tool vulnerability that is being actively exploited in the wild. Of the 121 bugs, 17 are rated Critical, 102 are rated Important, one is rated Moderate, and one is rated Low in severity. This is in addition to the 17 CVEs patched in Microsoft Edge and three patches related to secure boot from CERT/CC, bringing the total number of CVEs to 141.

One of the vulnerabilities fixed is CVE-2022-34713, dubbed DogWalk which allows remote code execution affecting the Microsoft Windows Support Diagnostic Tool (MSDT). Another one, CVE-2022-35804, is an SMB Client and Server Remote Code Execution Vulnerability that allows a remote, unauthenticated attacker to execute code with elevated privileges on affected SMB servers. There are also three privilege escalation flaws in Exchange Server including CVE-2022-30134 that could be abused to read targeted email messages and download attachments.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Google Chrome August Update fixes multiple vulnerabilities including a Zero-Day vulnerability

Google published a security update to address multiple vulnerabilities including a zero-day vulnerability in Chrome browser that are fixed now in Chrome’s latest version (104.0.5112.101 for Mac and 104.0.5112.102 for Windows ).

The update includes 11 security fixes. Ten of them were contributed by external researchers and classified as 1 Critical, 6 High and 3 Medium risk level.

The most severe vulnerability reported is CVE-2022-2852 with Critical risk level and described as Use after free in FedCM.

Additionally, Google fixed a vulnerability that exists in the wild (CVE-2022-2856). The vulnerability is classified as High and it is due to an insufficient validation of untrusted input in Intents.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Apple releases Safari 15.6.1 to fix a Zero-Day vulnerability

Apple has released Safari 15.6.1 for macOS Big Sur and Catalina to fix a zero-day vulnerability exploited in the wild to hack Macs.

The zero-day patched today (CVE-2022-32893) is an out-of-bounds write issue in WebKit that could allow a threat actor to execute code remotely on a vulnerable device. An out-of-bounds write vulnerability is when an attacker can supply input to a program that causes it to write data past the end or before the beginning of a memory buffer.

Apple is aware of a report that this issue may have been actively exploited.

RECOMMENDATIONS