Top Middle East Cyber Threats – 26 October 2022

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.  

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:  

Google Chrome Update Fixes Multiple Vulnerabilities 

Google has published a security update to address multiple vulnerabilities in Chrome as part of Stable Channel update Chrome 106.0.5249.112 (Platform version: 15054.98.0). The update includes 10 security fixes. In terms of the severity, three are rated ‘high’, six are ‘medium’, and one is ‘low’. Some of these vulnerabilities could lead to arbitrary code execution or let a remote attacker gain access to sensitive information. 

RECOMMENDATIONS

• Ensure all systems are patched and updated. 

Microsoft Fixes Critical Vulnerabilities Including Zero-Day 

Microsoft recently published a security update to address multiple vulnerabilities as part of its Patch Tuesday updates. 

The update includes 85 security fixes of which 15 are rated ‘Critical’, 69 are rated ‘Important’, and one is rated ‘Moderate’ in severity. These vulnerabilities include elevation of privileges, security feature bypass, remote code execution, information disclosure, denial of service and spoofing. This is in addition to the 11 CVEs patched in Microsoft Edge (Chromium-based) and one patch for side-channel speculation in Arm processors. That brings the total number of CVEs to 96. This also includes two zero-day vulnerabilities, CVE-2022-41043 (Microsoft Office Information Disclosure Vulnerability) which has been reported by Microsoft as currently being exploited in the wild and CVE-2022-41033 (Windows COM+ Event System Service Elevation of Privilege Vulnerability) which has not been reported by Microsoft as currently being exploited in the wild. 

RECOMMENDATIONS

• Ensure all systems are patched and updated. 

Critical “Sandbreak” Vulnerability Found In vm2 Sandbox Module 

A critical vulnerability has been found in the popular sandbox library vm2 that may allow a remote attacker to escape the sandbox and execute arbitrary code on the host. 

The flaw, CVE-2022-36067, is a critical-severity defect in vm2 assessed with a CVSS score of 10. The root cause of the vulnerability is that when vm2 maintainers implement a Node.js feature, it allows them to customize the call stack of errors in the software testing framework. The vulnerability has been rapidly patched in version 3.9.11. vm2 is the most popular Javascript sandbox library, with over 17 million monthly downloads. Hence, the potential impact of the vulnerability is widespread and critical. 

RECOMMENDATIONS

• Ensure all systems are patched and updated. 

New Android Malware ‘RatMilad’ Targets the Middle East 

A newly discovered form of Android spyware dubbed “RatMilad” is being used to target enterprise devices in the Middle East to spy on victims and steal data.  The original variant of the spyware was found hidden behind a virtual private networking and phone number spoofing app called Text Me. A live sample of the malware family was found later, hiding behind and distributed through NumRent, a renamed and graphically updated version of Text Me. The main distribution channel for the fake app is Telegram. The RatMilad threat actors have also created a dedicated website to promote the mobile remote access trojan (RAT) to make the app appear more convincing.  

The malware attempts to steal data such as basic device information (model, brand, build ID, Android version), device MAC address, contact list, SMS, call logs, account names and permissions, installed applications list and permissions, clipboard data, GPS location data, SIM information (number, country, IMEI, state), file list, file contents etc. 

RECOMMENDATIONS

• Ensure all systems are patched and updated. 
• Avoid clicking or opening untrusted or unknown links, files or attachments. 
• Don’t enable macros for unknown MS Office files. 
• Enable software restriction policies and application whitelisting. 
• Ensure that the email server is configured to block any suspicious attached files. 
• Enforce the Restricted PowerShell script execution policy for end users. 
• Monitor your network for abnormal behaviors and indicators of compromise (IoCs). 
• Ensure frequent backups are in place.  
• Block the IoCs within respective security controls throughout the organization. 
• Educate employees about detecting and reporting phishing/suspicious emails. 

Multiple Microsoft SQL Servers Backdoored With New Malware Maggie 

A new piece of malware named Maggie targeting Microsoft SQL servers has been observed. The backdoor has already infected hundreds of machines worldwide. 

The malware comes in the form of an Extended Stored Procedure (“sqlmaggieAntiVirus_64.dll”) that is digitally signed by DEEPSoft Co. Ltd. These are stored procedures that call functions from DLL files. Upon loading into a server, it is controlled through SQL queries that instruct it to run commands and interact with files. Its capabilities include brute-forcing administrator logins to other Microsoft SQL servers. The malware supports over 51 commands to gather system information and run programs, it is also able to support network-related functionalities like enabling TermService, running a Socks5 proxy server or setting up port forwarding to make Maggie act as a bridge head into the server’s network environment. 

RECOMMENDATIONS

• Ensure all systems are patched and updated. 
• Avoid clicking or opening untrusted or unknown links, files or attachments. 
• Don’t enable macros for unknown MS Office files. 
• Enable software restriction policies and application whitelisting. 
• Ensure that the email server is configured to block any suspicious attached files. 
• Enforce the Restricted PowerShell script execution policy for end users. 
• Monitor your network for abnormal behaviors and indicators of compromise (IoCs). 
• Ensure frequent backups are in place.  
• Block the IoCs within respective security controls organization wide. 
• Educate employees about detecting and reporting phishing / suspicious emails. 

Fortinet Patches Critical Auth Bypass Vulnerability 

Fortinet has advised administrators to update FortiGate firewalls and FortiProxy web proxies to the latest versions, which address a critical severity vulnerability. The security vulnerability tracked as CVE-2022-40684 is an authentication bypass on the administrative interface that could allow remote threat actors to log into target unpatched devices.  

The following products are vulnerable to attacks attempting to exploit the flaw: 

• FortiOS: From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1 

• FortiProxy: From 7.0.0 to 7.0.6 and 7.2.0 

The issue can be exploited remotely as it may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. 

RECOMMENDATIONS

• Ensure all systems are patched and updated. 
• Those who can’t immediately deploy security updates, should block remote attackers from bypassing authentication and logging into vulnerable FortiGate and FortiProxy deployments, by limiting the IP addresses that can reach the administrative interface using a local-in-policy. 

Undetectable PowerShell Backdoor Masquerades as a Windows Update 

A fully undetectable PowerShell backdoor has been discovered. It is a a covert self-developed tool that disguises itself as part of a Windows update. The attack chain involves a weaponized Microsoft Word document named ‘Apply Form.docm’, that contains a macro code deploying a malicious PowerShell script. The metadata indicates that the file is a part of a phishing campaign, designed to imitate a LinkedIn-based job offer.  

The PowerShell script (Script1.ps1) is designed to connect to a remote command-and-control (C2) server, that launches a command on a compromised machine through a second PowerShell script (temp.ps1). Some of the commands issued include exfiltrating the list of running processes, enumerating files in specific folders, launching whoami, and deleting files in public user folders. 

RECOMMENDATIONS

• Ensure all systems are patched and updated.  
• Avoid clicking or opening untrusted or unknown links, files or attachments.  
• Don’t enable macros for unknown MS Office files.  
• Enable software restriction policies and application whitelisting.  
• Ensure that the email server is configured to block any suspicious attached files.  
• Enforce the Restricted PowerShell script execution policy for end users.  
• Monitor your network for abnormal behaviors and indicators of compromise (IoCs).  
• Ensure frequent backups are in place.   
• Block the IoCs within respective security controls organization wide.  
• Educate employees about detecting and reporting phishing / suspicious emails. 

Oracle Patch Update Fixes Multiple Vulnerabilities 

Oracle published a security update to address multiple vulnerabilities as part of its Critical Patch Update for October 2022. The update includes 370 fixes across multiple products, including 179 CVEs across 27 Oracle product families.  In terms of the severity, 56 are rated ‘critical’, 144 are ‘high’, 163 are ‘medium’, and 7 are ‘low’. Several of these vulnerabilities can be exploited remotely without authentication, wherein an attacker can perform unauthorized operations or unauthorized deletion or falsification of sensitive information. 

RECOMMENDATIONS

• Ensure all systems are patched and updated. 

Mozilla Patch Updates Fixes Multiple Vulnerabilities in Firefox and Firefox ESR  

Mozilla has released updates for multiple vulnerabilities discovered in Mozilla Firefox and Firefox ESR, the most severe of which could allow for arbitrary code execution. These include CVE-2022-40962, a memory safety bug which allows the bypassing of Feature Policy restrictions on transient pages, CVE-2022-40959, and CVE-2022-40960 which is a data-race issue when parsing non-UTF-8 URLs in threads. Depending on the privileges associated with the user, an attacker could install programs, then view, change, or delete data, or create new accounts with full user rights. Mozilla Firefox versions prior to 106 and Firefox ESR versions prior to 102.4 were affected. 

RECOMMENDATIONS

• Ensure all systems are patched and updated. 

Apple Fixes Exploited Zero-Day Vulnerability 

Apple has rolled out an update that addresses a zero-day vulnerability in iOS and iPadOS, CVE-2022-42827 which is an out-of-bounds write issue that can be exploited by an attacker to execute arbitrary code with kernel privileges. Successful exploitation of such out-of-bounds write flaws can result in corruption of data, a crash, or an execution of unauthorized code. The vulnerability is fixed in iOS 16.1 and iPadOS 16 with improved bounds checking. 

RECOMMENDATIONS

• Ensure all systems are patched and updated. 

References: 

• https://blog.zimperium.com/we-smell-a-ratmilad-mobile-spyware/ 
• https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01 
• https://twitter.com/Gi7w0rm/status/1578299492822003712 
• https://support.fortinet.com/Information/Bulletin.aspx 
• https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067 
• https://www.zerodayinitiative.com/blog/2022/10/11/the-october-2022-security-update-review 
• https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-chromeos.html 
• https://www.safebreach.com/resources/blog/safebreach-labs-researchers-uncover-new-fully-undetectable-powershell-backdoor/ 
• https://www.oracle.com/security-alerts/cpuoct2022.html 
• https://www.mozilla.org/en-US/security/advisories/mfsa2022-45/ 
• https://www.mozilla.org/en-US/security/advisories/mfsa2022-44/  
• https://support.apple.com/en-us/HT213489