Top Middle East Cyber Threats – 26 Oct 2020

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Microsoft Security Updates – October 2020

Microsoft patched 87 security flaws across multiple products as part of its October 2020 updates on 13 October 2020. The official notification from Microsoft noted 11 critical, 75 important and 1 moderate severity vulnerabilities.

The most severe vulnerability in the stack is CVE-2020-16898 dubbed “Bad Neighbor” Windows TCP/IP Remote Code Execution Vulnerability. The patch against this vulnerability corrects an issue in the TCP/IP stack caused by the way it handles ICMPv6 router advertisements using Option Type-25 and an even length field according to our analysis. Microsoft Active Protections Program (MAPP) members were provided with a test script that successfully demonstrates the exploitation of this vulnerability to trigger a denial of service (DoS), according to a blog post from McAfee. Although the test scenario does not provide the ability to pivot to remote code execution (RCE), an attacker may craft a wormable exploit to ascertain RCE.

Unlike “Bad Neighbor”, the impact of CVE-2020-16899 is limited to denial-of-service in the form of BSoD (Blue Screen of Death). Microsoft recommends that though security update be implemented to fix this defect, a workaround is available to disable ICMPv6 RDNSS (Recursive DNS Server) through a PowerShell command if the fix cannot be applied immediately.

Microsoft Outlook Remote Code Execution Vulnerability (CVE-2020-16947) is also of critical importance among the pool of vulnerabilities patched this month. The vulnerability could allow code execution on affected Outlook versions only by viewing a specifically crafted e-mail. It is already known that malware authors closely follow-up on Microsoft monthly security updates, identify vulnerabilities that have a significant impact, and try to weaponize for future attacks. In order to be affected, the Preview Pane is an attack vector here hence, even opening an email is not required.

In Microsoft SharePoint, CVE-2020-16951 and CVE-2020-16952 are RCE vulnerabilities arising from a failure to verify the source markup of the application package. An attacker will need to be able to upload a specially crafted SharePoint application package to a compromised SharePoint server to exploit the vulnerability. Effective exploitation may allow an intruder to execute arbitrary code under the SharePoint application pool and the SharePoint server farm account. In a public advisory completely functional exploit code, a proof of concept (PoC) to exploit CVE-2020-16952 was recently released.

In Microsoft Excel, CVE-2020-16929, CVE-2020-16930, CVE-2020-16931 and CVE-2020-16932 are RCE vulnerabilities considering the way it handles objects in memory improperly. An attacker must create a malicious Excel file and persuade their target to open the file using a vulnerable version of Microsoft Excel to exploit these vulnerabilities, either by attaching the file to an email or hosting it on a website and compelling a user to visit the website

The complete list of critical vulnerabilities for comparison is highlighted below:

The October 2020 update has two EoP bugs for Windows Setup and Windows Storage VSP Driver components from the remaining publicly reported bugs. The pool of Important-rated bugs, stacks spoofing vulnerability in Windows that could allow an attacker to load improperly signed files.

Help AG realizes that security teams are still recovering from attempts to mitigate CVE-2020-1472 (Zerologon) disclosure, and thankfully Microsoft’s October 2020 bulletin brings a substantially lower load of vulnerabilities compared to the prior seven months, with no vulnerabilities currently known to be exploited in the wild. On 13 October 2020, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an advisory highlighting the significance of the earliest implementation of the October 2020 patch.

Recommendations

• Review the October 2020 Release Notes and Deployment Information for more details and apply the necessary patches as soon as possible.
• Review Microsoft’s newly released upgrade guide, launched on 13 October 2020, to quickly uncover relevant bugs.
• Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
• Review the Suricata rules released by McAfee to detect “BAD Neighbor” and leverage the same for advanced detection and response wherever applicable.

Microsoft Out-of-Band Updates

Microsoft has released out-of-band patches for two “important” severity vulnerabilities, which if exploited could allow for remote code execution.

• CVE-2020-17022 – Microsoft Windows Codecs Library Remote Code Execution Vulnerability

An important severity remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory.

• CVE-2020-17023 – Visual Studio JSON Remote Code Execution Vulnerability

Another remote code execution vulnerability of important severity exists in Visual Studio Code when a user is tricked into opening a malicious ‘package.json’ file. An attacker who exploited the vulnerability successfully could run arbitrary code in the current user’s context. An attacker may take control of the affected system if the current user is logged in with administrative user rights. An adversary could then install programs; view, alter, or delete data; or create new accounts with full user-rights. An attacker will need to persuade a target to clone a repository and open it in Visual Studio Code to exploit this vulnerability. Attacker-specified code would execute when the target opens the malicious ‘package.json’ file. By changing the way Visual Studio Code handles JSON files, the update addresses this vulnerability.

The Cybersecurity and Infrastructure Security Agency (CISA) also released an advisory notifying its customers of the importance of patching October 2020 out-of-band updates.

Recommendations

• Install vendor patches as soon as they are available.
• Avoid handling files from unknown or questionable sources.
• Minimize risk by immediately verifying the vulnerabilities in severity order.
• Run all software with the least privileges required while still maintaining functionality.
• Never visit sites of unknown or questionable integrity.
• Run security tests on a frequent basis to ensure no known vulnerabilities are present on your systems.
• Block external access at the network perimeter to all key systems unless specific access is required.

Seedworm Continues to Target Middle East

Seedworm (aka MuddyWater), an Iran-linked espionage group, has been highly active in recent months, targeting a wide variety of large Middle East government organizations. Seedworm has used a newly discovered tool called PowGoop (Downloader.Covic) which targets several organizations, indicating that the tool has recently been incorporated into its portfolio.

The new wave of Seedworm attacks linked significant pointers such as a registry key named “SecurityHealthCore” to previous Seedworm operations. The code residing in this registry key is executed by PowerShell from a scheduled task. Although a public advisory from Symantec offers multiple evidence to build ties, researchers expressed medium-confidence relationship between Seedworm and PowGoop. All the organizations where this registry key was found subsequently identified a known Seedworm backdoor (Backdoor.Mori). In addition to some government departments, the main targets of the operation came from Iraq, Turkey, Kuwait, United Arab Emirates, and Georgia including telecommunications and information services organizations.

A Backdoor.Mori sample was dropped and installed on a SQL server in one such victim as early as December 2019. At least until July 2020, Seedworm activity continued with the installation of additional hacking tools by the attackers.

Recommendations

• Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plugins, and document readers. Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
• Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
• Use MFA (multi factor authentication) for all services, especially webmail, virtual private networks, and accounts that access critical systems, to the possible extent.
• Ensure that secure configuration of vulnerable products is in accordance with the best implementation practices.
• Apply the Principle of Least Privilege wherever applicable to all systems and services.
• Establish comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.
• Follow a multi-layered security approach. Provide multiple detection and defense points for inbound and outbound threats, to minimize the possibility of exploitation.
• Update VPNs, network infrastructure systems and devices with the latest software fixes and security configurations that are used to remotely access work environments.
• Block indicators of compromise within respective security controls organization wide.

References:

• https://www.thezdi.com/blog/2020/10/13/the-october-2020-security-update-review
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17022
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17023
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east