Top Middle East Cyber Threats – 22 November 2021
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
State Hackers Breach Defense, Energy, and Healthcare Organizations Worldwide
Cybersecurity firm Palo Alto Networks warned of an ongoing hacking campaign that has already resulted in the compromise of at least nine organizations worldwide from critical sectors, including defense, healthcare, energy, technology, and education.
To breach the organizations’ networks, the threat actors behind this cyber espionage campaign exploited a critical vulnerability (CVE-2021-40539) in Zoho’s enterprise password management solution known as ManageEngine ADSelfService Plus which allows remotely executing code on unpatched systems without authentication.
After gaining access to the initial server, the actors focused their efforts on gathering and exfiltrating sensitive information from local domain controllers, such as the Active Directory database file (ntds.dit) and the SYSTEM hive from the registry.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Enable software restriction policies and application whitelisting.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviours and indicators of compromise (IoCs).
- Block the IoCs within respective security controls organization wide.
- Ensure frequent backups are in place.
Citrix Advisory Tackles a Critical Flaw
Citrix released an advisory about two vulnerabilities discovered in Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.
The most severe vulnerability is CVE-2021-22955 that was reported with a critical risk level. A successful attack allows an unauthenticated attacker to cause a Denial of Service in Citrix ADC and Citrix Gateway.
The second vulnerability is CVE-2021-22956, and it affects Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP Edition. The vulnerability was reported with a low criticality level and described as temporary disruption of the Management GUI, Nitro API and RPC communication.
RECOMMENDATIONS
- Keep systems up to date and install patches as soon as possible.
Microsoft November Patch Addresses 55 Vulnerabilities
On 9 November 2021, Microsoft released patches for 55new CVEs in Microsoft Windows and Windows Components, Azure, Azure RTOS, Azure Sphere, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, Windows Hyper-V, Windows Defender, and Visual Studio.
Of the CVEs patched today, six are rated Critical and 49 are rated as Important in severity. Four of these bugs are listed as publicly known and two are listed as under active exploit.
One of the most important vulnerabilities is CVE-2021-42321 that affects Microsoft Exchange Server. To exploit it, an attacker would need to be authenticated to a vulnerable Exchange Server.
The other exploited vulnerability is CVE-2021-42292. This patch fixes a bug that could allow code execution when opening a specially crafted file with an affected version of Excel.
Another Critical vulnerability with CVSSv3 score of 8.8 is CVE-2021-38666 and described as Remote Desktop Client Remote Code Execution Vulnerability. The vulnerability can be exploited when a victim machine connects to an attacker-controlled Remote Desktop server, allowing the attacker to execute arbitrary code on the victim’s machine.
RECOMMENDATIONS
- Keep systems up to date and install patches as soon as possible.
Critical Vulnerabilities Found in Nucleus TCP/IP Stack
Researchers found a set of 13 new vulnerabilities affecting the Nucleus TCP/IP stack, which we are collectively calling NUCLEUS:13. The new vulnerabilities allow for remote code execution, denial of service, and information leak.
Nucleus is currently owned by Siemens and it has been deployed in many industries that have safety and security requirements, such as medical devices, automotive and industrial systems.
The most severe vulnerability (CVE-2021-31886) with CVSS3.1 score of 9.8 is a remote code execution that affects FTP server.
FTP server does not properly validate the length of the “USER” command, leading to stack-based buffer overflows. This may result in denial of service conditions and remote code execution.
RECOMMENDATIONS
- Patch devices running the vulnerable versions of Nucleus.
- Discover and inventory devices running Nucleus. Forescout Research Labs has released an open-source script that uses active fingerprinting to detect devices running Nucleus. The script is updated constantly with new signatures to follow the latest development of our research.
- Enforce segmentation controls and proper network hygiene to mitigate the risk from vulnerable devices. Restrict external communication paths and isolate or contain vulnerable devices in zones as a mitigation control if they cannot be patched or until they can be patched.
- Monitor progressive patches released by affected device.
- Monitor all network traffic for malicious.
Multiple Vulnerabilities Identified in Samba
Multiple vulnerabilities were identified in Samba; a software for fast and secure file and print sharing for all clients using the SMB protocol that also provides a suite of applications enabling seamless networking and interoperability between *nix and Windows. Some of the identified vulnerabilities are CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, and CVE-2021-23192.
A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, elevation of privilege and security restriction bypass on the targeted system.
RECOMMENDATIONS
- Keep systems patched and up to date.
- Patch for Samba 4.15.1
- Patch for Samba 4.14.9
- Patch for Samba 4.13.13
VMware vCenter Server Privilege Escalation CVE-2021-22048
VMware shared workarounds to remediate privilege escalation vulnerability in VMware vCenter Server (vCenter Server) and VMware Cloud Foundation (Cloud Foundation).
The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.
A malicious actor with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group.
RECOMMENDATIONS
North Korea Threat Actor TA406
Researchers at Proofpoint tracked North Korea-aligned threat actor TA406, sampled their tools, and discovered the services they abuse and the phishing lures they employ.
TA406 employs both malware and credential harvesting in espionage and information-gathering campaigns targeting research, education, government, media and other organizations.
TA406 phishing campaigns focus on individuals in North America, Russia and China, with the actors frequently masquerading as Russian diplomats and academics, representatives of the Ministry of Foreign Affairs of the Russian Federation, human rights officials, or Korean individuals. TA406 has also targeted individuals and organizations related to cryptocurrency for the purpose of financial gain.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files or attachments.
- Don’t allow Macros for unknown MS Office files.
- Enable software restriction policies and application whitelisting.
- Ensure that the email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
- Block the IoCs within respective security controls organization wide.
- Ensure frequent secure backups are in place.
Squirrelwaffle Exploits ProxyShell and ProxyLogon
Threat actors are targeting Middle East and UAE organizations by exploiting Microsoft Exchange servers using ProxyShell and ProxyLogon exploits to distribute malware and bypass detection using stolen internal reply-chain emails.
As these emails originate from the same internal network and appear to be a continuation of a previous discussion between two employees, it leads to a greater degree of trust that the email is legitimate and safe.
The actors behind this attack are believed to be ‘TR’, a known threat actor who distributes emails with malicious attachments that drop malware, including Qbot, IcedID, Cobalt Strike, and SquirrelWaffle payloads.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files or attachments.
- Don’t allow Macros for unknow MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
- Block the IoCs within respective security controls organization wide.
- Ensure frequent secure backups are in place.
References:
- https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
- https://support.citrix.com/article/CTX330728
- https://msrc.microsoft.com/update-guide/releaseNote/2021-Nov
- https://www.forescout.com/resources/nucleus13-research-report-dissecting-the-nucleus-tcpip-stack/
- https://us-cert.cisa.gov/ics/advisories/icsa-21-313-03
- https://www.samba.org/samba/history/security.html
- https://www.samba.org/samba/history/samba-4.15.2.html
- https://kb.vmware.com/s/article/86292
- https://www.vmware.com/security/advisories/VMSA-2021-0025.html
- https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf
- https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html