Top Middle East Cyber Threats – 24 May 2021

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Ongoing Campaign using Avaddon Ransomware

An advisory has been published on May 11 by ACSC (Australian Cyber Security Centre) warning about an ongoing ransomware campaign utilizing the Avaddon Ransomware malware.

This campaign is targeting organizations in multiple countries including the United Arab Emirates.

The attack starts by sending phishing and spam emails to deliver malicious JavaScript files that lead to further stages in the attack chain.

RECOMMENDATIONS

• Patch operating systems and applications, and keep antivirus signatures up to date.
• Avoid clicking or opening untrusted or unknown links, files or attachments.
• Scan emails and attachments to detect and block malware, and implement training and processes to identify phishing and externally-sourced emails.
• Enable software restriction policies and application whitelisting.
• Monitor your network for abnormal behaviors and block IoCs.
• Ensure frequent backups are in place to prevent potential data loss.

Microsoft Security Updates – May 2021

On May 11, Microsoft released May 2021 Patch that updates multiple vulnerabilities including three zero-days.

With this update, Microsoft has fixed 55 vulnerabilities in Microsoft Windows, .NET Core and Visual Studio, Internet Explorer (IE), Microsoft Office, SharePoint Server, Open-Source Software, Hyper-V, Skype for Business and Microsoft Lync, and Exchange Server, with four classified as Critical, 50 as Important, and one as Moderate.

The three zero-day vulnerabilities patched on May 11 were publicly disclosed but not known to be used in attacks.

• CVE-2021-31204 – .NET and Visual Studio Elevation of Privilege Vulnerability
• CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability
• CVE-2021-31200 – Common Utilities Remote Code Execution Vulnerability

RECOMMENDATIONS

• Review the May 2021 “Release Notes” for more details and apply the necessary patches as soon as possible.
• Microsoft provided additional information about the security updates. Organizations running Exchange are urged to read the article and take the necessary precautions to protect their environment.
• Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.

Pulse Connect Secure Out-of-Cycle Advisory

Recently, Pulse Secure issued an Out-of-Cycle advisory on a buffer overflow vulnerability tracked as CVE-2021-22908 with a CVSS score of 8.5. The Pulse Connect Secure gateway has a buffer overflow vulnerability in Windows File Resource Profiles in 9.X, which if exploited allows a remote authenticated user with SMB share browsing privileges to run arbitrary code as the root user. This permission is disabled by default in version 9.1R3.

At the moment, Pulse Secure has posted a workaround to address this vulnerability. Workarounds will not work for versions 9.0R1 – 9.0R4.1 or 9.1R1-9.1R2 according to the initial advisory by Pulse Secure.

RECOMMENDATIONS

• Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plug-ins, and document readers. Please refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
• Review the official notification and upgrade Pulse Connect Secure server software version to 9.1R.11.5 as a fix for this vulnerability.
• Review KB43892 and determine which releases will have security fixes applied by Pulse Secure.
• CVE-2021-22908 can currently be mitigated by importing the Workaround-2105.xml file from the Download Centre. If your current version of PCS is 9.0R1 – 9.0R4.1 or 9.1R1-9.1R2, we strongly recommend upgrading before using the workarounds.
• Ensure that the systems are correctly configured and that the security features are enabled.
• Disable ports and protocols that are not used for business purposes (e.g., Remote Desktop Protocol [RDP] – Transmission Control Protocol [TCP] Port 3389).
• Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
• Use MFA (Multi-Factor Authentication) for all services, especially webmail, virtual private networks, and accounts that access critical systems, to the extent possible.

References:

• https://www.cyber.gov.au/sites/default/files/2021-05/2021-003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-%2020210508.pdf
• https://www.zerodayinitiative.com/blog/2021/5/11/the-may-2021-security-update-review
• https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800/?kA23Z000000boUgSAI