Threat advisories

Top Middle East Cyber Threats – 25 April 2022

Apr-2022 7 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

FIN7 Evolves with New Malwares

New versions of various malwares have been identified in recent campaigns by FIN7.

FIN7 continued to leverage PowerShell throughout their intrusions, including it in a new backdoor called POWERPLANT. Additionally, new versions of the BIRDWATCH downloader are being developed, which are tracked as CROWVIEW and FOWLGAZE.

FIN7’s initial access techniques have diversified to include software supply chain compromise and the use of stolen credentials, in addition to their traditional phishing techniques.

Recently, cybersecurity researchers tied FIN7 to ransomware operators including REvil, Darkmatter, and Alphv which suggests that FIN7 actors have been associated with various ransomware operations over time.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
Block the IoCs within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

VMware Fixes Multiple Vulnerabilities in Different Products

VMware released a security update to address multiple vulnerabilities in the below products:

VMware Workspace ONE Access (Access)
VMware Identity Manager (vIDM)
VMware vRealize Automation (vRA)
VMware Cloud Foundation
vRealize Suite Lifecycle Manager

The most critical one is a Server-side Template Injection RCE in VMware Workspace ONE Access and Identity Manager tracked as CVE-2022-22954 with CVSS 9.8. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

VMware also fixed another vulnerabilities as described in the below list:

Server-side Template Injection Remote Code Execution Vulnerability (CVE-2022-22954)
OAuth2 ACS Authentication Bypass Vulnerabilities (CVE-2022-22955, CVE-2022-22956)
JDBC Injection Remote Code Execution Vulnerabilities (CVE-2022-22957, CVE-2022-22958)
Cross Site Request Forgery Vulnerability (CVE-2022-22959)
Local Privilege Escalation Vulnerability (CVE-2022-22960)
Information Disclosure Vulnerability (CVE-2022-22961)

RECOMMENDATIONS

Ensure all systems are patched and updated.

Microsoft Releases Patches for April 2022

Microsoft released 128 new patches addressing multiple vulnerabilities out of which 10 are Critical, 115 are Important and 3 are rated as Moderate risk level. One of the bugs patched is listed as under active exploit this month, and another is listed as publicly known at the time of release. Both of these vulnerabilities are classified as privilege escalation type.

The first one is CVE-2022-24521 with 7.8 CVSS score, which is a bug in the Windows Common Log File System Driver and listed as under active attack.

The second zero-day tracked as CVE-2022-26904 with CVSS score of 7 is a privilege escalation vulnerabilities that was found in the Windows User Profile Service.

Additionally, Microsoft addressed multiple critical RCE bugs that could be wormable, the first critical CVE is CVE-2022-26809 that exists in the Remote Procedure Call (RPC) Runtime Library, and rated 9.8 out of 10 on the CVSS scale, with exploitation noted as more likely. If exploited, a remote attacker could execute code with high privileges.

CVE-2022-24491 and CVE-2022-24497 are also RCE bugs that affect the Windows Network File System (NFS). Both haveCVSS scores of 9.8, and both are likely to be exploited and could allow potential worming exploits.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Google Chrome Update Fixes Zero-Day Vulnerability CVE-2022-1364

Google published a security update to address a high severity vulnerability in Chrome browser that is being actively exploited in the wild.

Tracked as CVE-2022-1364, the zero-day flaw relates to a type confusion vulnerability in the V8 JavaScript engine.

Type confusion errors, which arise when a resource (e.g., a variable or an object) is accessed using a type that’s incompatible to what was originally initialized, could have serious consequences in languages that are not memory safe like C and C++, enabling a malicious actor to perform out-of-bounds memory access.

Google is aware that an exploit for CVE-2022-1364 exists in the wild. The latest update released to address this vulnerability is 100.0.4896.127.

RECOMMENDATIONS

Ensure all systems are patched and updated.

New Lenovo UEFI Firmware Vulnerabilities Affect Millions of Laptops

Three high-impact privilege escalation Unified Extensible Firmware Interface (UEFI) security vulnerabilities have been discovered impacting various Lenovo consumer laptop models, enabling malicious actors to deploy and execute firmware implants on the affected devices.

Two are related to UEFI firmware drivers used in the manufacturing process and can be used to disable SPI flash protections or the UEFI Secure Boot feature. This can allow threat actors to escalate privileges and install persistent malware that can survive system reboots.

CVE-2021-3970, on the other hand, relates to a case of memory corruption in the System Management Mode (SMM) of the firm, leading to the execution of malicious code with the highest privileges.

On 19 April 2022, Lenovo released an advisory to address these three new vulnerabilities:

RECOMMENDATIONS

Ensure all systems are patched and updated.

Oracle Releases Critical Patch Update Advisory for April 2022

Oracle has released its Critical Patch Update for April 2022 to address 520 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

There are over 100 Log4j vulnerabilities, some of which concern Log4Shell. Log4j versions 1.x and 2.x vulnerabilities that are addressed in this update are CVE-2019-17571, CVE-2020-9488, CVE-2021-4104, CVE-2021-44832, CVE-2022-23302, and CVE-2022-23305.

RECOMMENDATIONS

Ensure all systems are patched and updated.

BlackCat/ALPHV Ransomware Hits Entities Worldwide

BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide in March 2022 and is the first ransomware group to do so successfully using RUST. The ransomware leverages previously compromised user credentials to gain initial access to the victim system. Once the malware establishes access, it compromises Active Directory user and administrator accounts.

The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial deployment of the malware leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise.

BlackCat/ALPHV steals victim data prior to the execution of the ransomware, including from cloud providers where company or client data was stored.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
Block the IoCs within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Jira Fixes a Critical Authentication Bypass Vulnerability CVE-2022-0540

Atlassian has published a security advisory to alert that its Jira and Jira Service Management products are affected by a critical authentication bypass vulnerability (CVE-2022-0540) in Seraph, the company’s web application security framework.

Seraph is used in Jira and Confluence for handling all login and logout requests via a system of pluggable core elements.

The flaw is tracked as CVE-2022-0540 and comes with a severity rating of 9.9. It allows a remote attacker to bypass authentication by sending a specially crafted HTTP request to vulnerable endpoints.

Although the vulnerability is in the core of Jira, it affects first and third-party apps that specify roles-required at the webwork1 action namespace level and do not specify it at an action level.

The affected products are Jira Core Server, Software Data Center, Software Server, the Service Management Server, and the Management Data Center. More specifically, the following versions are impacted:

Jira Core Server, Software Server, and Software Data Center before 8.13.18, the 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x, 8.20.x before 8.20.6, and 8.21.x.
Jira Service Management Server and Management Data Center before 4.13.18, the 4.14.x, 4.15.x, 4.16.x, 4.17.x, 4.18.x, 4.19.x, 4.20.x before 4.20.6, 4.21.x.

The vulnerability does not impact the cloud versions for Jira and Jira Service Management.

RECOMMENDATIONS