Threat advisories

Top Middle East Cyber Threats – 24 June 2020

Jun-2020 6 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
Active abuse with malicious Chrome extensions
A newly discovered spyware campaign targeted users with 32 million downloads of extensions to Google’s Chrome web browser, researchers at Awake Security told Reuters, highlighting the tech industry’s inability to secure browsers as they are used more for email, payroll and other sensitive functions. Google said it removed over 70 malicious add-ons from its official Chrome Web Store after the researchers alerted last month. Many free extensions allegedly warned users about suspicious websites or converted files from one format to another. Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools.
It is unknown who was behind the malware distribution campaign. Awake said the developers provided fake contact information when the extensions were submitted to Google. The extensions were designed so as to evade detection by antivirus companies or security software’s assessing the reputation of web domains.
Researchers pointed out that if someone used a compromised browser to navigate the web on a home computer, these malicious extensions would connect to a series of websites and transmit information. Anyone who uses a corporate network that would include security services would not transmit sensitive information or even reach the websites malicious versions.
Web browsers operate vital and popular applications like Microsoft 365, Twitter, Salesforce, Workday, Facebook, LinkedIn and Zoom. Passively targeting these applications with malicious browser extensions is analogous to the new rootkit attack where adversary practically has unrestricted access to our online business and personal lives.
Recommendations

Administrators should limit add-on installation privileges to the organization’s dedicated admin groups.
Host periodic security awareness programs for the entire organization.
Avoid installing/clicking or opening unknown plugins/add-ons or files.
Administrators should regularly patch or upgrade the systems and security solutions.

Cyber Espionage Against Aerospace and Defense Companies
Experts from Cybersecurity firm ESET have uncovered targeted malware attacks against aerospace and military companies in Europe and the Middle East, emphasizing how effective spear phishing can be when targeting an individual. Dubbed Operation In(ter)ception, the campaign involves a stealthy and sophisticated malware. The attackers this time took advantage of the LinkedIn platform to prey on the victims. In short, the campaign targeted the victims with Inception.dll malware that had stealthy properties. The attackers used this malware for cyberespionage by alluring the personnel with job offers.
Investigation highlights that the attack was primarily intended to materialize as an espionage. In(ter)ception attackers created fake LinkedIn accounts as HR representatives for renowned aerospace and defense industry companies as part of their initial compromise phase. However, the attackers attempted to monetize access to a victim’s email account through a business email compromise (BEC) attack as the final stage of the operation in one particular case. Several techniques, such as code signing, regular malware recompilation and impersonating legitimate software and companies, were used to avoid detection.
Given the similarities in the way the operation was conducted, Lazarus Group is one of the prime suspects in this espionage. Part of the assertion was attributed to the Stage-1 variant, which held a Win32 / NukeSped. FX sample. This sample was part of a malicious tool set attributed by researchers to the Lazarus group.
Recommendations

Don’t open suspicious attachments/emails or click on unknown links. The easiest approach to check a link is by hovering over it with your mouse.
Make sure to check the file extensions of the files you downloaded. Document files don’t use .EXE file format.
Please block the relevant indicators of compromise within your respective security controls, organization wide.

Office 365 Phishing Campaigns using Adobe, Samsung and Oxford Servers
A seemingly unsophisticated phishing campaign caught attention of the researchers for Office 365 recently. The attackers abused an Adobe Campaign redirection mechanism, using a Samsung domain to redirect victims to an O365 themed phishing website. The hackers benefit from the fact that security softwares would not block access to a reputable domain, such as Samsung’s. The attackers also compromised a number of websites to expand their campaign by injecting a script to imitate the same Adobe Redirection Service mechanism. Further investigation has shown that the actors behind the campaign have carried out many other interesting tricks to conceal the phishing kit and avoid detection at each stage of the attack.
In the sense of exploiting a vulnerability, neither Adobe nor Samsung were compromised. Phishing campaigns delivering “missed voice message” emails to its victims are quite known in the Middle East region. Users were encouraged to click a button that would allegedly bring them to their Office 365 account. These emails use some very basic customization, such as a subject line with the target domain name and the username included in the body of the email. Vigilant users would have noticed some inaccuracies despite the “Trusted Server Message” notification at the top.
In this campaign the attackers successfully managed to redirect users to a phishing page masquerading as the Office 365 login page. This redirection is composed of two stages behind the scenes: the first stage abused an existing redirection scheme on the legitimate domain (e.g. samsung[.]ca), and the second stage redirected the user to a compromised WordPress site. Analysis of the email headers revealed that the attackers found a way to compromise one of the SMTP servers in Oxford to pass the reputation check.
Recommendations

Don’t open suspicious emails/attachments or click on unknown links. The easiest approach to check a link is by hovering over it with your mouse.
Make sure to check the file extensions of the files you downloaded.
Please block the specific indicators of compromise within your respective security controls.

Multiple Vulnerabilities in Treck IP Stack
A recent report highlights 19 vulnerabilities discovered by security researchers in the TCP/IP software library developed by Treck, Inc. Referred to as “Ripple20”, 4 out of the 19 vulnerabilities are rated as critical. These security issues affect Treck TCP/IP stack implementations for embedded systems. Successful exploitation of these vulnerabilities could allow a remote code execution by an attacker and taking control of an affected system. Yet another report highlights a considerable number of vulnerabilities in the Treck IP software due to memory management bugs.
ICS-CERT Advisory ICSA-20-168-01 confirms that such vulnerabilities are likely to affect industrial and medical control systems. The effect of these vulnerabilities can differ because of the combination of build and runtime options used when developing different embedded systems. This diversity of implementations and lack of visibility in the supply chain had also exasperated the issue of accurately assessing the impact of these vulnerabilities. Severe flaws (with CVSSv3 score 10) such as CVE-2020-11896 and CVE-2020-11897 affect IPv4 and Ipv6 tunneling devices, where remote code execution vulnerabilities can be exploited by sending malformed packets. To summarize, an unauthenticated remote attacker may use specially crafted network packets to cause denial of service, disclose information or execute arbitrary code.
Recommendations

Users and administrators should review the latest Vulnerability Response Information released by Treck Inc.
Users should apply the latest version of the affected products (Treck TCP/IP 6.0.1.67 or later versions).
Users and administrators should minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the internet.
Network administrators should locate control system networks and remote devices behind firewalls and isolate them from the business network.
Network administrators should enforce TCP inspection and reject malformed TCP packets.
Network administrators should ensure the exercise of efficient use of OSI layer 2 equipment (Ethernet).

References