Top Middle East Cyber Threats – 23 November 2022 - Help AG: Next-Gen Cybersecurity Services in the Middle East

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats. 

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead: 

Critical Vulnerabilities in VMware Workspace – ONE Assist

VMware has published a security update to address three critical vulnerabilities that enable remote attackers to bypass authentication and elevate privileges to admin. Workspace ONE Assist 22.10 has been released to patch these issues. The flaws are tracked as CVE-2022-31685 (authentication bypass), CVE-2022-31686 (broken authentication method), and CVE-2022-31687 (broken authentication control) and all have received 9.8/10 CVSSv3 base scores.

An attacker able to reach a Workspace ONE Assist deployment, either over the internet or on the network, can exploit any of these three bugs to obtain administrative access without the need to authenticate.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Microsoft Fixes Multiple Vulnerabilities

Microsoft has fixed 64 vulnerabilities in the November 2022 update. 11 of the issues are rated Critical and 53 are rated Important in severity. Some of these allow Denial of Service (DoS), Elevation of Privilege (EoP), and Remote Code Execution (RCE). The fixes address CVEs that affect Azure, BitLocker, Dynamics, Exchange Server, Office and Office components, Network Policy Server (NPS), SharePoint Server, SysInternals, Visual Studio, Windows and Windows Components, and the Linux kernel and other open-source software bugs affecting Microsoft products. A few critical-rated vulnerabilities in this patch worth pointing out are privilege elevation flaws in Windows Kerberos (CVE-2022-37967), Kerberos RC4-HMAC (CVE-2022-37966), and Microsoft Exchange Server (CVE-2022-41080), and a denial-of-service flaw affecting Windows Hyper-V (CVE-2022-38015).

Microsoft has also patched the publicly known “ProxyNotShell” and Mark of the Web (MotW) security vulnerabilities, the two of six zero-day bugs under active exploit in the wild.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Citrix Fixes Critical Authentication Bypass Vulnerability

RECOMMENDATIONS

Citrix has released security updates to address a critical authentication bypass vulnerability in Citrix ADC and Citrix Gateway.
Following three critical vulnerabilities were also addressed:

CVE-2022-27510 – The flaw is an authentication bypass using an alternate path or channel, an attacker can trigger it to gain unauthorized access to Gateway user capabilities. The company pointed out that only appliances that are operating as a Gateway (appliances using the SSL VPN functionality or deployed as an ICA proxy with authentication enabled) are impacted.
CVE-2022-27513 – The flaw is an insufficient verification of data authenticity, an attacker can exploit the flaw to achieve a remote desktop takeover via phishing attacks. The vulnerability can be exploited only if the appliance is configured as a VPN (Gateway) and the RDP proxy functionality is configured.
CVE-2022-27516 – The vulnerability is a user login brute force protection functionality bypass. The flaw can be exploited only if the appliance is configured as a VPN (Gateway) or AAA virtual server with “Max Login Attempts” configuration.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Google Chrome Update Fixes Multiple Vulnerabilities

Google has published a security update to address multiple vulnerabilities in Chrome browser that are fixed now in Chrome latest version i.e. 107.0.5304.110 for Mac and Linux and 107.0.5304.106/.107 for Windows, which will roll out over the coming days/weeks.

This update includes 10 security fixes. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution and data manipulation on the targeted system.

RECOMMENDATIONS

Ensure all systems are patched and updated.

BatLoader Executes Downloader Malware Campaign

BatLoader is an initial access malware that heavily uses batch and PowerShell scripts to gain a foothold on a victim machine and deliver other malware. The threat actors utilize search engine optimization (SEO) poisoning to lure users to download the malware from compromised websites. The use of living-off-the-land binaries makes this campaign hard to detect and block especially early-on in the attack chain.

In recent campaigns, BatLoader has been also used to install remote monitoring software such as Servably’s Syncro and Atera RMM that allow malware operators maintain access to the infected systems.

Finally, additional banking trojan, infostealer and Cobalt Strike related payloads in .exe and .dll will be dropped to steal and exfiltrate data.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and indicators of compromise (IoCs).
Ensure frequent backups are in place.
Block the IoCs within respective security controls throughout the organization.
Educate employees about detecting and reporting phishing/suspicious emails.

Hive Ransomware Target Companies Worldwide

Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments. Hive ransomware follows the ransomware-as-a-service (RaaS) model in which developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks. From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and indicators of compromise (IoCs).
Ensure frequent backups are in place.
Block the IoCs within respective security controls throughout the organization.
Educate employees about detecting and reporting phishing/suspicious emails.

DDoS Attacks Target UAE

Help AG Cyber Threat Intelligence Team is aware about the massive DDoS campaigns by an Iranian group, targeting UAE and the attackers were already able to get some websites down. Help AG suspects that threat actors will continue targeting other UAE based organizations.

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices.

RECOMMENDATIONS

Make sure your organization has sufficient bandwidth, and ensure redundancy by spreading traffic using load balancers.
Configure your network hardware against DDoS attacks by filtering unwanted ports and protocols.
Deploy a DDoS protection solution to protect your servers from both network and application layer DDoS attacks.

References: