Top Middle East Cyber Threats – 27 December 2022 - Help AG: Next-Gen Cybersecurity Services in the Middle East

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats. 

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead: 

BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign

A new cyber-espionage campaign targeting a telecommunications firm in the Middle East has been uncovered and attributed to a Chinese threat actor BackdoorDiplomacy. APT group BackdoorDiplomacy, which has been operating at least since 2017, is known for its attacks against institutions in the Middle East and Africa, as well as in the United States.

The infection vector pointed to a vulnerable Exchange server, exploiting ProxyShell. Forensic evidence shows the attack started in August 2021, when the group deployed the NPS proxy tool and IRAFAU backdoor into the organization.

Since February 2022, the threat actors used another tool – Quarian backdoor, along with several other scanners and proxy/tunneling tools. Artifacts reveal the use of keyloggers and exfiltration tools that link this campaign to a cyber-espionage operation.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Do not enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and indicators of compromise (IoCs).
Ensure frequent backups are in place.
Block the IoCs within respective security controls throughout the organization.
Educate employees about detecting and reporting phishing/suspicious emails.

Sophos Fixes Critical Security Vulnerability

Sophos has released a security update to address seven vulnerabilities affecting the Sophos Firewall. The critical vulnerability CVE-2022-3236 and three other high severity vulnerabilities are related to remote code execution. The medium and low severity vulnerabilities are related to privilege escalation and SQL injection. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

RECOMMENDATIONS

Ensure all systems are patched and updated.

APT Actor Agrius Targets Diamond Industries with Data Wiper Attacks

An Iranian advanced persistent threat (APT) actor known as Agrius has been attributed behind a set of data wiper attacks aimed at diamond industries in Israel and the United Arab Emirates since 2020. The group initially deployed a wiper, Apostle, disguised as ransomware, but later modified Apostle into a fully fledged ransomware. Agrius exploits known vulnerabilities in internet-facing applications to install webshells, then conducts internal reconnaissance before moving laterally and deploying its malicious payloads.

In a recent campaign, Agrius deployed credential harvesting tools as well as a new wiper ( Fantasy ) used to target several entities. Fantasy is executed by means of another tool called Sandals, a 32-bit Windows executable written in C#/.NET. It’s said to be deployed on the compromised host through a supply-chain attack using the developer’s software update mechanism.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Do not enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and indicators of compromise (IoCs).
Ensure frequent backups are in place.
Block the IoCs within respective security controls throughout the organization.
Educate employees about detecting and reporting phishing/suspicious emails.

Cyber Espionage Group MuddyWater Targets UAE Organizations in New Threat Campaign

MuddyWater, also known as Static Kitten and Mercury, is a cyber espionage group that’s most likely a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS). Since 2017 MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.

A new MuddayWater campaign has been identified targeting multiple countries including the United Arab Emirates. In this campaign, the threat actor sends a phishing email as an initial access vector and utilizes “Syncro” remote administration tool to control targeted hosts.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and indicators of compromise (IoCs).
Ensure frequent backups are in place.
Block the IoCs within respective security controls throughout the organization.
Educate employees about detecting and reporting phishing/suspicious emails.

Fortinet Addresses Heap Buffer Overflow in FortiOS SSL-VPN

A heap-based buffer overflow vulnerability in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediate validation of your systems against the following indicators of compromise:

Multiple log entries with:
Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“

Presence of the following artifacts in the filesystem:

/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash

Affected Products:

FortiOS version 7.2.0 through 7.2.2
FortiOS version 7.0.0 through 7.0.8
FortiOS version 6.4.0 through 6.4.10
FortiOS version 6.2.0 through 6.2.11
FortiOS-6K7K version 7.0.0 through 7.0.7
FortiOS-6K7K version 6.4.0 through 6.4.9
FortiOS-6K7K version 6.2.0 through 6.2.11
FortiOS-6K7K version 6.0.0 through 6.0.14

RECOMMENDATIONS

Ensure all systems are patched and updated.
Block and scan your network for IoCs.

Microsoft Patches 54 Vulnerabilities in December 2022 Security Update

Microsoft has fixed 52 vulnerabilities in the December 2022 update in addition to two CVEs fixed earlier this month, which brings the December release total to 54 fixes overall.

Of the 52 new patches released, six are rated Critical, 43 are rated Important, and three are rated Moderate in severity.

One of the new CVEs released this month is listed as publicly known and one is listed as wild at the time of release.The number of bugs in each vulnerability category is listed below:

19 Elevation of Privilege Vulnerabilities
2 Security Feature Bypass Vulnerabilities
23 Remote Code Execution Vulnerabilities
3 Information Disclosure Vulnerabilities
3 Denial of Service Vulnerabilities
2 Spoofing Vulnerability

Two zero-day vulnerabilities CVE-2022-41040 and CVE-2022-41082, dubbed as ProxyNotShell, are being actively exploited.

Chaining the two vulnerabilities allows an attacker with valid credentials to execute PowerShell commands in the Exchange environment. 

Reported post exploitation activities include other accounts hijacking attempts, reconnaissance of users, groups, and domains, remote process injection, reverse shell deployment, obtaining persistence and deploying ransomware. 

RECOMMENDATIONS

Ensure all systems are patched and updated.
If not used, disable exchange PowerShell module or monitor web access to it.
Monitor for unusual execution activities by exchange worker w3wp.exe.
Make sure exchange servers have updated endpoint security.

Google Chrome Update Fixes Multiple Vulnerabilities

Google published a security update to address multiple vulnerabilities in Chrome browser that are fixed now in Chrome’s latest version 108.0.5359.124 for Mac and Linux and 108.0.5359.124/.125 for Windows.

The update includes 8 security fixes and 5 of them were contributed by external researchers.
Out of the 5 vulnerabilities fixed in this advisory, 4 are classified as High risk level and one as Medium risk level.

Google also published a security update to address multiple Use After Free vulnerabilities in Chrome browser that are fixed now in Chrome latest version 108.0.5359.124 for Mac and Linux and 108.0.5359.124/.125 for Windows.

All of the CVEs related to Use after free vulnerabilities in different Chrome components. Use After Free (UAF) refers to a memory corruption bug that occurs when an application tries to use memory that is no longer assigned to it (or freed) – after that memory has been assigned to another application. This can cause crashes and data to be inadvertently overwritten, or in a cyber-attack scenario can lead to arbitrary code execution or allow an attacker to gain remote code execution capabilities.

RECOMMENDATIONS

Ensure all systems are patched and updated.

VMware Fixes a Heap Out-of-Bounds Write Vulnerability in Multiple Products

VMware ESXi, Workstation, and Fusion contain a heap out-of-bounds write vulnerability in the USB 2.0 controller (EHCI). VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.

Impacted Products: