Top Middle East Cyber Threats – 28 March 2023

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Zoom Releases Advisory to Fix Multiple Vulnerabilities

Zoom has released an advisory to address multiple vulnerabilities across its product line. The update includes fixes for six CVEs, two of which are classified as ‘High’ and four as ‘Medium’ severity level.

Exploitation of these vulnerabilities could allow attackers to trigger denial of service, remote code execution, and sensitive information disclosure on the targeted systems.

RECOMMENDATIONS

• Ensure all systems are patched and updated.

Microsoft Releases Security Fixes to Address Outlook and Snipping Tool Vulnerabilities

Microsoft has released a security fix to address an elevation of privilege vulnerability (CVE-2023-23397) in Microsoft Outlook.

This vulnerability could be triggered by a specially crafted email and could lead to the theft of credential hashes. It is possible for attackers to exploit the vulnerability even before the email is viewed in the Preview Pane, which may allow them to steal credentials by forcing the target’s devices to authenticate an attacker-controlled server.

Microsoft has provided a PowerShell script to search for potentially malicious messages containing the vulnerability.

Microsoft has also issued an emergency security update for the Windows 10 and Windows 11 Snipping tool to address the Acropalypse privacy vulnerability. The update versions are 10.2008.3001.0 for Windows 11 and 11.2302.20.0 for Windows 10.

The vulnerability, identified as CVE-2023-28303, occurs when image editors fail to remove cropped image data while overwriting the original file. This flaw may lead to the exposure of sensitive information.

Despite the potential risk, this vulnerability has been categorized as “Low” severity because it necessitates uncommon user interaction and several factors that are beyond the attacker’s control.

RECOMMENDATIONS

• Ensure all systems are patched and updated. Block TCP 445/SMB outbound from your network to untrusted IPs by using a perimeter firewall, and a local firewall, via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
• Run the PowerShell script provided by Microsoft to detect malicious emails in the exchange server.

Cyberespionage Campaign Linked to Winter Vivern Group

Researchers have revealed details of a cyberespionage campaign against government and telecommunications companies, attributed  to the activities of the Winter Vivern threat group.

Winter Vivern uses phishing websites, credential phishing, and malicious documents, to deploy custom loaders that enable remote access to sensitive data for exfiltration.

RECOMMENDATIONS

• Ensure all systems are patched and updated.
• Avoid clicking or opening untrusted or unknown links, files, or attachments.
• Don’t allow Macros for unknown MS Office files.
• Enable software restriction policies and application whitelisting.
• Ensure that email server is configured to block any suspicious attached files.
• Enforce the Restricted PowerShell script execution policy for end users.
• Monitor your network for abnormal behaviour and shared IoCs.
• Ensure frequent backups are in place.
• Educate employees about detecting and reporting phishing / suspicious emails.

Google Releases Security Update to Address Vulnerabilities in Chrome

Google has recently released a security update to address multiple vulnerabilities in its Chrome browser. The latest version 111.0.5563.110 is now available for Mac/Linux, while the Windows version is 111.0.5563.110/.111.

The update includes fixes for eight security issues, seven of which were reported by external researchers. All seven addressed CVEs are classified as ‘High’ severity level.

RECOMMENDATIONS

• Ensure all systems are patched and updated.

Emotet Returns with New Tactics to Bypass Security Measures

Emotet campaigns were detected on March 7, 2023, after a long hiatus. Emotet has returned to spamming operations and is now using heavily padded Microsoft Word documents to evade detection. These documents contain many randomly generated bytes.

It has been observed that Emotet’s threat actors are also distributing malicious OneNote documents as a new tactic to bypass the security mechanisms recently deployed by Microsoft. This has resulted in various threat actors moving away from Office document-based mal-spam campaigns.

RECOMMENDATIONS

• Ensure all systems are patched and updated.
• Avoid clicking or opening untrusted or unknown links, files, or attachments.
• Don’t allow Macros for unknown MS Office files.
• Enable software restriction policies and application whitelisting.
• Ensure that email server is configured to block any suspicious attached files.
• Enforce the Restricted PowerShell script execution policy for end users.
• Monitor your network for abnormal behaviour and shared IoCs.
• Ensure frequent backups are in place.
• Educate employees about detecting and reporting phishing / suspicious emails.

Threat Actors Exploit New IcedID Malware Variants

IcedID is a malware that was originally classified as a banking malware and was first detected in 2017. It also serves as a loader for other types of malware, including ransomware.

Recently, researchers have analyzed three different variants of IcedID, including the standard variant and two new variants known as “Forked” and “Lite” IcedID.

The standard variant of IcedID is the most observed in the threat landscape and is used by various threat actors. The Lite IcedID variant was recently detected as a follow-on payload in November Emotet infections. This variant does not exfiltrate host data in the loader checking and also delivers a bot with minimal functionality.

Another new variant, Forked IcedID, was also discovered by Proofpoint researchers in February 2023. This variant is used by only a small number of threat actors and delivers a bot with minimal functionality.

RECOMMENDATIONS

• Ensure all systems are patched and updated.
• Avoid clicking or opening untrusted or unknown links, files, or attachments.
• Don’t allow Macros for unknown MS Office files.
• Enable software restriction policies and application whitelisting.
• Ensure that email server is configured to block any suspicious attached files.
• Enforce the Restricted PowerShell script execution policy for end users.
• Monitor your network for abnormal behaviour and shared IoCs.
• Ensure frequent backups are in place.
• Educate employees about detecting and reporting phishing / suspicious emails.

References:

• https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
• https://www.deepinstinct.com/blog/cve-2023-23397-exploitations-in-the-wild-what-you-need-to-know
• https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
• https://chromereleases.googleblog.com/2023/03/stable-channel-update-for-desktop_21.html
• https://blog.talosintelligence.com/emotet-switches-to-onenote/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28303
• https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid