Threat advisories

Top Middle East Cyber Threats – 22 Mar 2021

Mar-2021 10 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Earth Vetala, aka MuddyWater, Targets Organizations in the Middle East

Recently, a research that uncovered malicious activities linked to Iran’s cyber-espionage has been connected with a new ongoing campaign across the Middle East.

Aliased as Earth Vetala, this threat group used spearphishing emails with an embedded link to a legitimate file-sharing website to distribute their destructive package. The aim of the act was to deceive victims with malicious links embedded in documents as well as emails. After gaining access to a victim, attackers will ascertain if the user account belonged to an administrator or a regular user. Victims would then download post-exploitation tools which included password or process-dumping tools, reverse tunneling tools, and customized backdoors. Threat actors will then communicate with external command-and-control infrastructure in order to run unreadable or obfuscated PowerShell scripts. Several organizations in the United Arab Emirates, Saudi Arabia, Israel, and Azerbaijan were targeted, according to the research.

This new report indicates that victims may end up downloading one of two files, one in .PDF format and the other in .RTF format, as part of their investigation. The lure document’s content aims to persuade the user to visit another malicious URL and download a .ZIP file. This .ZIP file, once downloaded and executed, contains a copy of the legitimate remote administration program created by RemoteUtilities and offers remote management capabilities. The use of this RemoteUtilities program distinguishes this recent campaign from previous observations. Traditionally, Earth Vetala targets its victims using embedded URLs in phishing emails and weaponized documents pointing to a legitimate file-sharing service where the ScreenConnect Remote Administrator tool was distributed.

RECOMMENDATIONS

Do not open suspicious emails, click on unknown links or attachments. The easiest approach to check a link is by hovering over it with your mouse.
Use MFA (multi-factor authentication) for all services, especially webmail, virtual private networks, and accounts that access critical systems.
Apply the Principle of Least Privilege wherever applicable to all systems and services.
Establish comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.
Make sure to check the file extensions of the files you download. Document files do not use .EXE or .LNK file format.
Allow a personal firewall, designed to reject unsolicited connection requests, on department workstations.
Use portable media (for example, USB thumb drives, external drives, CDs) with caution.
Block the indicators of compromise within respective security controls organization wide.

DearCry Ransomware Targets Unpatched Exchange Servers

On March 12, Microsoft warned that ransomware known as “DearCry” is now being used to infect vulnerable Exchange Servers. These attacks target unpatched Exchange Servers using a new ransomware family. Multiple Microsoft Exchange vulnerabilities are being deliberately exploited in the wild in an effort to steal e-mail and compromise networks. By “unpatched” we refer to its out-of-band security patches released on March 2 that have not been installed on various Exchange Server products. According to Check Point Software, since the release of Microsoft’s patch, attacks on Exchange Server implementations have “tripled every two hours” across the world.

DearCry ransomware encrypts victim files with AES-256 and RSA-2048 encryption algorithms, as well as modifying file headers to include the string ‘DEARCRY!’. Microsoft claimed that the ransomware was distributed by exploiting four Microsoft Exchange vulnerabilities known as ProxyLogon which were tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

DearCry is a great example of how threat actors can cause havoc leveraging newly reported vulnerabilities.

RECOMMENDATIONS

Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plugins, and document readers. Please refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Update VPNs, network infrastructure systems and devices with the latest software fixes and security configurations that are used to remotely access work environments.
Ensure that the systems are correctly configured and that the security features are enabled. Disable ports and protocols that are not used for business purposes (e.g., Remote Desktop Protocol [RDP] – Transmission Control Protocol [TCP] Port 3389).
Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
Use MFA (multi-factor authentication) for all services, especially webmail, virtual private networks, and accounts that access critical systems.
Block the indicators of compromise within respective security controls organization wide.

Microsoft Releases Urgent Patches for Exchange Server Zero-Day Vulnerabilities

Multiple Microsoft Exchange vulnerabilities are being deliberately exploited in the wild in an effort to steal e-mail and compromise networks. In this operation, a large amount of data was observed being sent to some IP addressesA thorough report from Microsoft Threat Intelligence Center (MSTIC) attributes this operation to HAFNIUM, a group alleged of being state-sponsored and functioning out of China.

The attacker was using Microsoft Exchange to exploit a zero-day server-side request forgery (SSRF) vulnerability (CVE-2021-26855). The attacker took advantage of the vulnerability to steal the entire contents of many user mailboxes. This vulnerability can be exploited remotely without the need for authentication, special knowledge, or access to the target environment. The assailant just needs to know the Exchange server and the account from which they want to retrieve emails. This vulnerability has been reported to exist in the latest version of Exchange 2016 on a completely patched Windows Server 2016 server. Although Exchange 2019 is thought to be vulnerable, the vulnerability has not been assessed against a fully patched version. It is also worth noting that this flaw does not seem to impact Office 365 and Exchange Online.

The Microsoft Security Response Center (MSRC) announced the following Knowledge Base articles for the four out-of-band security patches:

The attacker had managed to chain the SSRF vulnerability with another that facilitates remote code execution (RCE) on the targeted Exchange servers after the discovery of CVE-2021-26855. In every case of RCE, the attacker was spotted writing webshell (ASPX files) to disc and then dumping credentials, adding user accounts, stealing copies of the Active Directory database (NTDS.DIT), and shifting laterally to other systems and environments.

RECOMMENDATIONS:

Check the official notification and deploy necessary patches as soon as possible.
Prioritize installing updates on externally facing Exchange Servers at the earliest.
Review out-of-band security updates for Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019.
Block “Malicious IP” and “Webshell Hash” indicators only within respective security controls organization wide.

Microsoft Security Updates – March 2021

Microsoft plugged 89 security flaws in Microsoft Windows components, Azure and Azure Sphere, Azure DevOps, Exchange Server, Internet Explorer and Edge (EdgeHTML), Office and Office Services and Web Apps, SharePoint Server, Windows Hyper-V and Visual Studio as part of its March 2021 updates. The official notification from Microsoft noted 14 critical, 75 important severity vulnerabilities.

Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-27076) is of considerable significance in this month’s pool of patched vulnerabilities. In an attempt for an attack to succeed, the attacker must be able to create or modify SharePoint server sites. SharePoint, on the other hand, allows authenticated users to create sites by default. Whenever they do, the user becomes the site’s owner and has all the requisite permissions. This is close to some other SharePoint bugs researchers have previously published about.

Windows DNS Server Remote Code Execution Vulnerability CVE-2021-26897 patches a flaw in Windows DNS Server that could allow remote code execution on affected systems. There are five DNS Server Remote Code Execution Vulnerabilities reported, but this CVE is the only one that is listed Critical. The other four are CVE-2021-26877, CVE-2021-26893, CVE-2021-26894, and CVE-2021-26895. The Internet Explorer Memory Corruption Vulnerability noted as CVE-2021-26411 rectifies a flaw in Internet Explorer (IE) and Edge (EdgeHTML-based) that could enable an attacker to run their code on compromised systems if a specially designed HTML file is viewed. At the time of publication, Microsoft listed this vulnerability as both publicly known and under active attack. Successful exploitation would result in code execution in the context of the logged-in user, which is yet another rationale to avoid using accounts with administrative privileges for web browsing.

Microsoft patched CVE-2021-26867, a vulnerability in Windows Hyper-V that could enable an authenticated attacker to execute code on the underlying Hyper-V server. Although the vulnerability has a CVSS of 9.9, it only affects someone using the Plan-9 file system, therefore this patch must be applied as soon as possible.

The HEVC Video Extensions have four patches to fix bugs, and these fixes are available from the Windows Store. An error in OpenType Fonts has been patched, which could be exploited by displaying a specially crafted font. Five RCE bugs affecting Visual Studio were included in this month’s update. However, the update for the Quantum Development Kit for Visual Studio, on the other hand, must be downloaded manually. The majority of the 30 Elevation of Privilege (EoP) bugs discussed in this month’s update demand an attacker logging on to an affected system and running specially crafted code to elevate privileges. The Windows kernel and various Windows components are all affected by these patches.

Patches for six information disclosure bugs are included in this month’s release. Typically, these types of situations result in memory leaks with no specific contents. The information leak in SharePoint Server, according to Microsoft, may allow an attacker access to an “organizational email, websites, filename, url of file…”. It is presumed that useful information might be revealed by an attacker.

This month, three components should receive patches to address security feature bypasses (SFB). Patches are provided for the Windows Extensible Firmware Interface and the Windows Admin Center bypasses. Four denial-of-service (DoS) bugs and a spoofing vulnerability were included in March 2021 release. The spoofing bug affects the SharePoint server noted as CVE-2021-24104.

RECOMMENDATIONS

Review the March 2021 “Release Notes” and “Deployment Information” for more details and apply the necessary patches as soon as possible.
If affected by CVE-2021-26867, deploy necessary patches as soon as possible if Plan-9 file system is used.
Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.

Google Chrome Security Updates

Google has released a Chrome update that addresses five security vulnerabilities, including a zero-day vulnerability that has been widely exploited by malicious actors. The vulnerabilities affect the popular browser on Windows, Mac OS X, and Linux. Google confirmed that an exploit for CVE-2021-21193, a recently discovered zero-day vulnerability triggered by a UAF (use-after-free) bug in Blink, a browser rendering engine developed as part of Chromium, is already available in the wild. This is the key component in charge of converting HTML code into the well-designed Web pages you are accustomed to browsing. Because of the UAF (Use-After-Free) flaw, Blink had trouble clearing memory, which could lead to data corruption and arbitrary code execution.

According to Vulmon researchers, a remote attacker might exploit the high-severity vulnerability by tricking an unsuspecting user into visiting a specially crafted webpage, after which they could execute arbitrary code or even trigger a denial-of-service attack on the vulnerable system.

Apart from zero-day flaw, CVE-2021-21191, a use-after-free vulnerability that affects WebRTC, a Chrome component that enables audio and video communication on websites, was also fixed. A heap-based buffer-overflow vulnerability was also reported as CVE-2021-21192 in tab groups, a feature that was implemented as part of the Chrome 85 release.

RECOMMENDATIONS