Top Middle East Cyber Threats – 30 August 2021

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

AvosLocker Ransomware

Help AG CTI Team is aware of a recent AvosLocker ransomware attack targeting one of the UAE based healthcare centres. Data and payment details were stolen and will be leaked to the darknet.

AvosLocker ransomware encrypts all user’s data on the PC (photos, documents, excel tables, music, videos, etc.), adds its specific extension to every file, and creates the GET_YOUR_FILES_BACK.txt files in every folder which contains encrypted files.

RECOMMENDATIONS

• Ensure all systems and security controls are patched and up to date.
• Avoid clicking or opening untrusted or unknown links, files or attachments.
• Don’t allow Macros for unknown MS Office files.
• Enable software restriction policies and application whitelisting.
• Ensure that the email server is configured to block any suspicious attached files.
• Enforce the Restricted PowerShell script execution policy for end users.
• Ensure frequent offline backups are in place.
• Educate employees about detecting and reporting phishing / suspicious emails.

Cyber Espionage Campaign – “Siamesekitten”

At the beginning of May 2021, security researchers discovered the first Siamesekitten (also known as Lyceum/Hexane) attack on an Israeli IT company. Siamesekitten is attributed to an Iranian APT group active in the Middle East and Africa that specializes in supply chain attacks. To that end, Siamesekitten built a large infrastructure that allowed them to impersonate the company and their HR personnel. This infrastructure was built to entice IT experts and infiltrate their computers in order to gain access to the company’s clients.

Recently, a second wave of similar attacks against additional Israeli companies was discovered in July 2021, during which Siamesekitten upgraded their backdoor malware to a new version called “Shark,” which replaced the old version of their malware called “Milan”. The researchers discovered the attack sequence of Siamesekitten’s attacks, which includes identifying the potential victim, the department of the employee who can be impersonated, creating a phishing website that impersonates the targeted organization, creating lure files compatible with the impersonated organization, and setting up a fraudulent profile on social media – like LinkedIn – impersonating the HR department. As a result of this sequence, the “Milan” backdoor malware infects the corresponding computer or server, and a connection is established between the infected machine and the C&C server via DNS and HTTPS.

The DanBot RAT is downloaded to the infected system, and the group gathers data, conducts espionage, and attempts to spread throughout the network via the infected machine. As with other groups, espionage and intelligence gathering could be the first steps toward carrying out impersonation attacks targeting ransomware or wiper malware.

Although these attacks are currently aimed at Israel, due to the nature and history of this APT group, it is highly possible that Siamesekitten will expand their attacks to other countries, including the UAE.

RECOMMENDATIONS

• Ensure that every corporate remote access service available on the Internet, including cloud applications such as Office 365/Outlook, external virtual private networks (VPNs), and single sign-on (SSO) pages, requires users to provide a one-time password in addition to their regular password.
• Make efforts to increase visibility through endpoint detection, response, and logging. Endpoint monitoring tools are critical for detecting suspicious activity in an environment after other controls have been circumvented.
• Carry out tabletop exercises for preparedness — Block the indicators of compromise within respective security controls organization wide.

UAE Massive Data Leakage – Redline Stealer

Help AG CTI team was able to identify a massive data leakage posted for sale by a threat actor. The data leak includes information from a number of countries, including the United Arab Emirates. Based on the sample data, we can attribute extracted domains that are part of stolen cookies or credentials.

The credentials are most likely extracted directly from victim machines using the RedLine password stealer, which is for sale (as early as February 20, 2020) on Russian underground forums with a variety of pricing options. Redline stealer uses browser web-injects to collect login and passwords, cookies, autocomplete fields, and credit card information as well as data collection from FTP clients, IM clients, and file-grabbers.

RECOMMENDATIONS

• Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plug-ins, and document readers. Please refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
• Update VPNs, network infrastructure systems and devices with the latest software fixes and security configurations that are used to remotely access work environments.
• Ensure that the systems are correctly configured and that the security features are enabled. Disable ports and protocols that are not used for business purposes .
• Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
• Use multi factor authentication (MFA) for all services, especially webmail, virtual private networks, and accounts that access critical systems, to the extent possible.
• Block the indicators of compromise within respective security controls organization wide.

Details Disclosed for Zoom RCE

On 23 August 2021, researchers have disclosed the details of a Zoom exploit that could have allowed malicious actors to achieve remote code execution without user interaction. This can allow attackers to craft their own exploits. The exploit was demonstrated on Pwn2Own hacking competition by Daan Keuper and Thijs Alkemade from Computest. According to an advisory published by Zoom on 13 August, the most severe of the flaws leveraged in the exploit chain used by Keuper and Alkemade, tracked as CVE-2021-34407, was patched in the Zoom Client for Meetings version 5.6.3.

CVE-2021-34407 is a high-severity heap-based buffer overflow that allows remote code execution.

RECOMMENDATIONS

Follow the official notification and ensure timely update of the issue.

Vulnerability in OpenSSL – SM2 Decryption Buffer Overflow

A buffer overflow vulnerability exists in EVP_PKEY_decrypt() function of OpenSSL that can result in arbitrary code execution or application crash depending on the context of the program calling OpenSSL’s EVP_PKEY_decrypt().

OpenSSL versions 1.1.1k and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1l.

OpenSSL 1.0.2 is not impacted by this issue.

OpenSSL 3.0 alpha/beta releases are also affected but this issue will be addressed before the final release.

It is not clear yet which programs using OpenSSL make this vulnerability’s exploitation practical. However, since there is a huge number of programs utilizing OpenSSL where attack vector can be over network, patching this vulnerability should be periodized.

IRECOMMENDATIONS

Review the August 2021 security advisory and ensure timely update to upgrade to OpenSSL 1.1.1l.

References:

• Help AG Threat Intelligence Team
• https://www.clearskysec.com/siamesekitten/
• https://sector7.computest.nl/post/2021-08-zoom/
• https://explore.zoom.us/en/trust/security/security-bulletin/
• https://www.openssl.org/news/secadv/20210824.txt