Top Middle East Cyber Threats – 26 Apr 2021

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Cisco Email Security Appliance and Content Security Management Appliance Information Disclosure Vulnerability

A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Content Security Management Appliance (SMA) dubbed CVE-2021-1425 could allow a remote, authenticated attacker to access sensitive information on an affected device. The vulnerability was first reported on 3 March 2021.

The vulnerability exists because confidential information is being included in HTTP requests that are exchanged between the user and the device. An attacker could exploit this flaw by inspecting the raw HTTP requests sent to the interface. If the exploitation is successful, the attacker will be able to obtain some of the credentials that are configured in the interface.

On 12 April 2021, Cisco issued final software updates to address this vulnerability. According to the Cisco advisory, the manufacturer is not aware of any public announcements or malicious use of the reported vulnerability so far. There are no workarounds for this vulnerability.

RECOMMENDATIONS

• Review the official notification from Google and apply necessary patches as soon as possible.

DearCry Ransomware Targets Unpatched Exchange Servers – Update

On 12 March 2021, Microsoft has warned that “DearCry Ransomware” is being used to infect vulnerable Exchange Servers. These attacks target unpatched Exchange Servers using a new ransomware family. Multiple Microsoft Exchange vulnerabilities are being deliberately exploited in the wild in an effort to steal email and compromise networks. By “unpatched,” we refer to its out-of-band security patches released on March 2^nd that have not been installed on various Exchange Server products. DearCry ransomware first came to the info-sec space spotlight after ransomware expert observed a rapid increase in submissions to his private ransomware recognition website. According to Check Point Software, since the release of Microsoft’s patch, attacks on Exchange Server implementations have “tripled every two hours” across the world.

The Cybersecurity and Infrastructure Security Agency (CISA) issued a notification informing customers about six additional samples identified as DearCry Ransomware that had been submitted for analysis.

RECOMMENDATIONS

• Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plug-ins, and document readers. Please refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
• Update VPNs, network infrastructure systems and devices with the latest software fixes and security configurations that are used to remotely access work environments.
• Ensure that the systems are correctly configured and that the security features are enabled. Disable ports and protocols that are not used for business purposes (e.g., Remote Desktop Protocol [RDP] – Transmission Control Protocol [TCP] Port 3389).
• Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
• Use MFA (Multi-Factor Authentication) for all services, especially webmail, virtual private networks, and accounts that access critical systems, to the extent possible.
• Block the indicators of compromise within respective security controls organization wide.

New China Chopper Webshell Sample Reported by CISA

Malicious Chinese actors, including advanced persistent threat (APT) groups, primarily use China Chopper webshell’s to remotely control web servers. This webshell consists of two parts: the client interface (an executable file) and the receiver host file on the compromised web server.

Recently China Chopper activities have been reported by manipulating the ExternalURL parameter in Microsoft Exchange Offline Address Book (OAB) Virtual Directories (VD). The ExternalURL parameter contains a “China Chopper” webshell, which may allow a remote operator to dynamically execute JavaScript code on the compromised Microsoft Exchange Server.

The Cybersecurity and Infrastructure Security Agency (CISA) issued a notification informing customers that one more malicious sample identified as part of the China Chopper campaign had been submitted for analysis.

RECOMMENDATIONS

• Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plug-ins, and document readers. Please refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
• Keep antivirus signatures and engines up to date.
• Limit users’ ability (permissions) to install and run unwanted software applications. Users should not be added to the local administrator’s group unless absolutely necessary.
• Enable a personal firewall on user workstations, configured to deny unsolicited connection requests.
• Block the indicators of compromise within respective security controls organization wide.

Microsoft Security Updates – April 2021

On 14 April 2021, Microsoft released updates that addressed some high-fidelity vulnerabilities. Microsoft patched a total of 108 security flaws in Microsoft Windows, Edge (Chromium-based), Azure and Azure DevOps Server, Microsoft Office, SharePoint Server, Hyper-V, Team Foundation Server, Visual Studio, and Exchange Server as part of its April 2021 updates.

The official notification noted 19 critical, 88 important and 1 moderate severity vulnerabilities. According to Microsoft, one bug is currently being exploited, while four others were publicly known at the time of release as zero-day vulnerabilities.

The Win32k Elevation of Privilege Vulnerability (CVE-2021-28310) is significant in this month’s pool of patched vulnerabilities because it is the only vulnerability listed as actively exploited that is being patched in April. By running a specially crafted program on a target computer, an attacker can escalate privileges. This implies that they will need to either log in to a system or trick a legitimate user into running the code on their behalf.

This month more than half of the patches are related to remote code execution vulnerabilities. Outlook is affected by a bug (CVE-2021-28452) that requires user interaction but could result in code execution. According to the report, some RCE flaws to be conscious of, affect the GDI+ component. Despite being classified as RCE, their attack vector is local, and no user interaction is required. This would imply that the bugs could be triggered by something other than viewing or opening an image, but no further information is available.

There are 19 bugs classified as privilege escalation, including two publicly known vulnerabilities. The first is found in the Azure ms-rest-nodeauth library, while the second is found in the RPC Endpoint Mapper Service. An attacker would need to log on to an affected system and run their own code, including privilege escalation in Hyper-V, to exploit most of these bugs. A combination with a separate code execution is usually required for such a bug to take over affected systems.

A total of nine Denial of Service (DoS) bugs affect SharePoint, the AppX Deployment server, Hyper-V, and other Windows components where an attacker could cause a DoS by sending specially crafted packets to a vulnerable system.

There are 17 total info disclosure bugs being patched this month, with the majority only resulting in leaks of undisclosed memory contents. CVE-2021-28437, an information disclosure bug in the Windows Installer, was reported as a publicly known bug.

Microsoft released a servicing stack advisory (ADV990001) for multiple versions of Windows that supersedes the most recent servicing stack updates for each operating system.

RECOMMENDATIONS

• Review the April 2021 “Release Notes” and “Deployment Information” for more details and apply the necessary patches as soon as possible.
• If affected by CVE-2021-28480/28481, deploy necessary patches as soon as possible, assuming that they will be exploited at some point.
• Microsoft provided additional information about the security updates. If running Exchange, read the article and take the necessary precautions to protect your environment.
• Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.

Purple Fox Expands Its Arsenal With CVE-2021-26411 Exploits

Purple Fox trojan, which was distributed via the Rig exploit kit (EK), is a multi-component malware family first identified by Qihoo 360 in September 2018. It appears that the developers have recently added new capabilities, such as a rootkit element and an exploit kit (known as Purple Fox EK) to deliver the malware. Proofpoint suggested early last year that Purple Fox EK was created to replace Rig, as a cost-effective measure to avoid having to pay another entity to distribute the malware. Purple Fox was updated to include exploits for two vulnerabilities, CVE-2020-0674 and CVE-2019-1458. The former takes advantage of a flaw in Internet Explorer’s scripting engine to gain code execution, while the latter takes advantage of a flaw in win32k.sys to run code with elevated privileges.

Security researchers from SentinelOne reported a major improvement to Purple Fox infection chain and the implementation of other privilege escalation exploits in October 2020 last year. Purple Fox’s developers added a feature that allows it to retrieve other malware stages from image data in addition to running numerous stages of obfuscated PowerShell code to infect systems. According to the analysis, malicious code is concealed within images using steganography to evade detection by web proxy servers and firewalls.

A new addition to Purple Fox’s exploit arsenal is a memory corruption vulnerability in Internet Explorer tracked as CVE-2021-26411 recently discovered by cybersecurity experts. According to researchers, other Purple Fox EK samples exploiting CVE-2021-26411 in the wild have also been reported this month.

RECOMMENDATIONS

• Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plug-ins, and document readers. Please refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
• Patch CVE-2020-0674, CVE-2019-1458 and CVE-2021-26411 as soon as possible if they are applicable.
• Keep antivirus signatures and engines up to date.
• Enable a personal firewall on user workstations, configured to deny unsolicited connection requests.
• Blocking the indicators of compromise within respective security controls organization wide.

Pulse Connect Secure RCE Vulnerability Under Active Exploitation (CVE-2021-22893)

A vulnerability was discovered under Pulse Connect Secure (PCS) tracked as CVE-2021-22893. An authentication by-pass vulnerability in the Pulse Connect Secure gateway could allow an unauthenticated user to perform remote arbitrary file execution. The official notification from Pulse Secure confirms that software version prior to 9.1R.11 are vulnerable. According to the report, this vulnerability has a critical CVSS score and poses a significant risk to your deployment if not patched.

FireEye Mandiant team has reported that they recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances leveraged by Chinese cyber espionage actors. The actors also obtained credentials from a variety of Pulse Secure VPN login flows, according to the report. As a result, the actor was able to move laterally into the affected environments using legitimate account credentials.

RECOMMENDATIONS

• Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plug-ins, and document readers. Please refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
• Review the official notification and upgrade the Pulse Connect Secure server software version to 9.1R.11.4.
• Ensure that the systems are correctly configured and that the security features are enabled.
• Disable ports and protocols that are not used for business purposes (e.g., Remote Desktop Protocol [RDP] – Transmission Control Protocol [TCP] Port 3389).
• Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
• Use MFA (Multi-Factor Authentication) for all services, especially webmail, virtual private networks, and accounts that access critical systems, to the extent possible.
• Blocking the indicators of compromise within respective security controls organization wide.

Google Chrome Security Updates

The Chrome browser for Windows, Mac, and Linux was updated to version 90.0.4430.85 recently. The update includes seven security fixes, one of which addresses a zero-day vulnerability that was exploited in the wild. CVE-2021-21224 was assigned to the zero-day, which was described as a “type confusion in V8”.

The official notification from Chrome detailed the following five vulnerabilities contributed by external researchers:

According to security researchers, the zero-day vulnerability was triggered when performing integer data type conversion, resulting in an out-of-bounds condition that could be exploited to perform arbitrary memory read/write primitives. The latest fixes follow an update from Google last week that included patches for two security vulnerabilities, CVE-2021-21206 and CVE-2021-21220.

RECOMMENDATIONS

• Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plug-ins, and document readers. Please refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
• Review the official notification and upgrade Chrome to the latest version.

Reference:

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-info-disclo-VOu2GHbZ
• https://us-cert.cisa.gov/ncas/analysis-reports/ar21-102b
• https://us-cert.cisa.gov/ncas/analysis-reports/ar21-102a
• https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html
• https://www.zerodayinitiative.com/blog/2021/4/13/the-april-2021-security-update-review
• https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/
• https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/?kA23Z000000boUWSAY
• https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
• https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html