Threat advisories

Top Middle East Cyber Threats – 25 October 2021

Oct-2021 5 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Google Chrome Security Updates

Google Chrome users are being urged to update for another critical patch after Google TAG recently notified of four high-level vulnerabilities in its Chrome browser that hackers could exploit.

According to some reports, the CVE-2021-37978 is found on the heap buffer overflow in Blink, whereas the CVE-2021-3977 is found on the Garbage Collection. CVE-2021-37979 was also caused by a heap buffer overflow, but this time it occurred within WebRTC. Meanwhile, CVE-2021-37980 is the result of an incorrect implementation in Chrome’s Sandbox.

According to the threat analysis group (TAG) at Google, hackers “created malformed code signatures” that are “valid by Windows” but cannot be detected by OpenSSL code used in security scanners. TAG revealed that this new technique is used in the OpenSUpdater software line. Because it displays advertisements in victims’ browsers before installing unwanted programs on their computers, OpenSUpdater is classified as riskware.

RECOMMENDATIONS

Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Ensure that systems are correctly configured and security features are enabled.
Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
Review the official notification and upgrade Chrome to the latest version.

Iran-Linked Cybercriminals Endeavoring to Breach Office 365 Customer Accounts

The Microsoft Threat Intelligence Center (MSTIC) highlighted some recent developments concerning DEV-0343, which it has been monitoring since July 2021. An Iran-linked hacking group has targeted over 250 Office 365 users. The attacks were carried out using password spraying, a technique in which hackers try the same password repetitively while spinning the username.

According to Microsoft’s notification, the password spraying attacks were typically carried out from Tor IP addresses that resembled a Firefox browser user agent.

RECOMMENDATIONS

Ensure that every corporate remote access service available on the Internet, including cloud applications such as Office 365/Outlook, external virtual private networks (VPNs), and single sign-on (SSO) pages, requires users to provide a one-time password in addition to their regular password.
Make efforts to increase visibility through endpoint detection, response, and logging. Endpoint monitoring tools are critical for detecting suspicious activity in an environment after other controls have been circumvented.
Ensure that systems are correctly configured and security features are enabled.
Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
Review the official notification as well as the observed behaviors, recommended defenses, and advanced hunting queries sections to look for similar patterns in logs and network activity to identify areas for further investigation.

Microsoft’s October 2021 Patch

Microsoft released October 2021 Patch which fixes four zero-day vulnerabilities and a total of 74 flaws with three classified as Critical, 70 as Important, and one as Low.

The zero-day bugs are tracked as:

CVE-2021-40449 – Win32k Elevation of Privilege Vulnerability
CVE-2021-40469– Windows DNS Server Remote Code Execution Vulnerability
CVE-2021-41335 – Windows Kernel Elevation of Privilege Vulnerability
CVE-2021-41338 – Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability

RECOMMENDATIONS

Install the patches and keep systems up to date.
Block the indicators of compromise within respective security controls organization wide.
Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.

Lyceum APT

Kaspersky recently shared a new update about Lyceum group to reveal more details about tools and TTPs used by this group after their recent attack targeting multiple Tunisian organizations.

The threat actor is known to focus on high-profile targets in the Middle East and Africa by attacking telecommunications companies as well as critical systems in Middle Eastern oil and gas organizations.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and indicators of compromise.
Block the indicators of compromise within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Oracle’s October Critical Patch Update Advisory

Oracle released its critical patch update for October 2021 containing 419 new security patches across multiple product families.

RECOMMENDATIONS

Refer to the advisory published by Oracle and apply security patches as soon as possible.
Keep systems up to date.
Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.

PurpleFox Botnet

Researchers from Trend Micro have documented a recent evolution of the PurpleFox botnet. The experts discovered a new .NET backdoor, dubbed FoxSocket, that is highly associated with the PurpleFox operation. Its operators have added new exploits and payloads.

The new variant, which leverages WebSockets to implement more secure C2 bidirectional communication, was employed in attacks aimed at users in the Middle East. The analysis of the C2 infrastructure revealed that the most notable activity is in the US, Turkey, Iraq, Saudi Arabia and UAE.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and indicators of compromise.
Block the indicators of compromise within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Embedded Malware in NPM Package – ua-parser-js

A massively popular JavaScript library (npm package) was hacked on October 23^rd and modified with malicious code that downloaded and installed a cryptocurrency miner on systems where the compromised versions were installed. It impacted UAParser.js, a JavaScript library for reading information stored inside user-agent strings.

The npm package ua-parser-js had three versions published with malicious code. Users of affected versions (0.7.29, 0.8.0, 1.0.0) should upgrade as soon as possible and check their systems for suspicious activity.

RECOMMENDATIONS

Install the latest versions.
All secrets and keys stored on a computer that has this package installed or running should be rotated immediately from a different computer.

References: