Threat advisories

Top Middle East Cyber Threats – 23 May 2022

May-2022 6 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Microsoft May 2022 Patch Tuesday Fixes 3 Zero-Days

On 10 May, Microsoft released its May 2022 Patch Tuesday and fixed a total of 75 flaws, 8 of which are classified as Critical – allowing remote code execution or elevation of privileges, 66 are classified as Important, and one is rated Low in severity.

One of the bugs released is listed as publicly known and under active attack, while two others are listed as publicly known at the time of release.

The actively exploited zero-day vulnerability fixed on 10 May appears to be a new vector for the PetitPotam NTLM relay attack. This new vulnerability is tracked as CVE-2022-26925 and described as a Windows LSA Spoofing Vulnerability. An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate them using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows them.

Using this attack, threat actors can intercept legitimate authentication requests and use them to gain elevated privileges.

The two publicly exposed zero-days are a denial of service (DoS) vulnerability in Hyper-V and a new remote code execution vulnerability in Azure Synapse and Azure Data Factory.

CVE-2022-22713 – Windows Hyper-V Denial of Service Vulnerability
CVE-2022-29972 – Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver

RECOMMENDATIONS

Ensure all systems are patched and updated.

Google Chrome Update Fixes 13 Security Issues

Google has released an update for Chrome browser that includes 13 security fixes. The latest version of the stable channel is now Chrome 101.0.4951.64 for Windows, Mac and Linux.

Out of the 13 security fixes, there are 9 vulnerabilities contributed by external researchers. Google classified 8 of them as High and 1 as Medium in severity.

Most of the CVEs are assigned as use-after-free vulnerabilities that are a type of confusion errors, which arise when a resource (e.g., a variable or an object) is accessed using a type that is incompatible with what was originally initialized. This could have serious consequences in languages that are not memory safe like C and C++, enabling a malicious actor to perform out-of-bounds memory access.

RECOMMENDATIONS

Ensure all systems are patched and updated.

APT34 Targets Middle Eastern Governments with New Saitama Backdoor

On 26 April, a recent APT34 campaign has been detected. It started by sending a suspicious email targeting a government official from Jordan’s foreign ministry. The email contained a malicious Excel document that drops a new backdoor named Saitama.

APT34 is an Iranian threat group that has targeted Middle Eastern countries including the United Arab Emirates since 2014.

The malicious email was sent to the victim via a Microsoft Outlook account with the subject “Confirmation Receive Document” with an Excel file called “Confirmation Receive Document.xls”. After enabling the macro, the final stage malware will be downloaded.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
Block the IoCs within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

COBALT MIRAGE Launches Ransomware Attacks

A ransomware group with an Iranian operational connection has been linked to a string of file-encrypting malware attacks targeting multiple organizations.

The intrusions have been attributed to COBALT MIRAGE, an Iranian threat actor that is operating since June 2020 and known to target entities in the government, energy, and technology sectors that are located in or do business in Middle East countries.

Initial access routes are facilitated by scanning internet-facing servers vulnerable to highly publicized flaws in Fortinet appliances and Microsoft Exchange Servers to drop web shells and use them as a conduit to move laterally and activate the ransomware.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
Block the IoCs within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Apple Emergency Update Fixes Zero-Day

Apple released security updates to address a zero-day vulnerability that threat actors can exploit in attacks targeting Macs and Apple Watch devices.

The flaw is an out-of-bounds write issue (CVE-2022-22675) in the AppleAVD (a kernel extension for audio and video decoding) that allows apps to execute arbitrary code with kernel privileges.

The bug was reported by anonymous researchers and the list of impacted devices include Apple Watch Series 3 or later and Macs running macOS Big Sur. It was fixed by Apple in macOS Big Sur 11.6.6 and watchOS 8.6 with improved bounds checking.

While Apple disclosed reports of active exploitation in the wild, it did not release any extra info regarding these attacks.

Apple also fixed multiple vulnerabilities in other products including iOS 15.5 and iPadOS 15.5.

RECOMMENDATIONS

Ensure all systems are patched and updated.

VMware Patches Critical Authentication Bypass

On 18 May, VMware warned customers to immediately patch a critical authentication bypass vulnerability in multiple products that can be exploited to obtain admin privileges.

The flaw (tracked as CVE-2022-22972 with CVSSv3 base score of 9.8) impacts Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation.

A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.

VMware also fixed another Local Privilege Escalation Vulnerability (CVE-2022-22973) that can allow a malicious actor with local access to escalate privileges to ‘root’.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Oracle Addresses E-Business Suite Vulnerability – CVE-2022-21500

Oracle released a security alert to address a vulnerability CVE-2022-21500 which affects some deployments of Oracle E-Business Suite on versions 12.1 and 12.2.

This vulnerability is remotely exploitable without authentication that can be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in the exposure of personally identifiable information (PII).

Oracle SaaS cloud environments are not affected by this vulnerability.

RECOMMENDATIONS