Top Middle East Cyber Threats – 30 Nov 2020
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cyber security threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cyber security threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
DDoS Campaign Targeting UAE Companies
Research by Help AG has uncovered that threat actors are planning a DDoS attack against organizations in the United Arab Emirates.
After further analysis we found that it could be highly related to the DDoS attack that was carried out by the Anonymous group in September 2020.
Listed targets are companies in Abu Dhabi, Dubai, Sharjah, Ajman, Umm Al Quwain, Ras Al-Khaimah and Fujairah. Adversaries are planning to use open-source DDoS tools in GitHub and Sourceforge in their planned campaign. The most targeted ports will be 80, 443 and 53.
- Ensure having sufficient bandwidth in your organization and ensure redundancy by spreading traffic using load balancers.
- Configure your network hardware against DDoS attacks by filtering unwanted ports and protocols.
- Deploy DDoS protection solutions to protect your servers from both network and application layer DDoS attacks.
Microsoft Patches for November 2020
Microsoft has released fixes for 112 vulnerabilities in Microsoft products. Out of the 112 vulnerabilities fixed on November 11, 17 were classified as Critical, 93 as Important and two as Low.
This month’s patches also include a fix for a Windows zero-day vulnerability that was exploited in the wild.
Tracked as CVE-2020-17087, the zero-day was disclosed on October 30 by the Google Project Zero and TAG security teams. Google said the vulnerability was being exploited together with a Chrome zero-day to target Windows 7 and Windows 10 users.
- Apply patches and keep all your systems up to date. For more details, refer to the following links:
Google Patches Two More Chrome Zero-Days
On November 12, Google has released Chrome version 86.0.4240.198 to patch two zero-day vulnerabilities that were exploited in the wild.
These two bugs mark the fourth and fifth zero-days that Google has patched in Chrome over the past three weeks.
The difference this time is that while the first three zero-days were discovered internally by Google security researchers, these two new zero-days came to Google’s attention after tips from anonymous sources. Details about the attacks where the Chrome two zero-days have been used have not been made public until now.
According to the Chrome 86.0.4240.198 change log, the two zero-days are tracked and described as follows:
- CVE-2020-16017 – Described as a “use after free” memory corruption bug in Site Isolation, the Chrome component that isolates each site’s data from one another.
- Ensure all systems are patched and updated. It is advised to update your Chrome browser to version 86.0.4240.198 or later.
- Ensure all other Chromium based Browsers such as (Microsoft Edge and Opera) are up to date.
Cisco issues a patch for ASR 9000 Series DoS Vulnerability
Cisco has released software updates to address a Denial of Service vulnerability (CVE-2020-26070) that affects Cisco ASR 9000 Series Aggregation Services Routers.
A vulnerability in the ingress packet processing function of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
Exploitation of this vulnerability may cause the following message to appear in system logs: “%PKT_INFRA-spp-4-PKT_ALLOC_FAIL : Failed to allocate n packets for sending”. However, buffer resource exhaustion may happen for a reason other than the exploitation of this vulnerability.
- Ensure all systems are patched and updated. For more details, refer to the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xr-cp-dos-ej8VB9QY
Cisco Releases Fixes for Security Manager Vulnerabilities
Cisco has released a security update to fix three vulnerabilities in Cisco Security Manager. Out of these 3 vulnerabilities, one was reported with Critical Impact and two with High Impact.
Cisco assigned 9.1 CVSS to the most severe bug tracked as CVE-2020-27130 (Path Traversal). The vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to gain access to sensitive information.
Another high vulnerability tracked as CVE-2020-27131 (Java Deserialization Vulnerabilities) has been released as well. Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. These vulnerabilities affect Cisco Security Manager releases 4.21 and earlier.
Cisco has released patches to fix CVE-2020-27130 and CVE-2020-27125 in Cisco Security Manager Release 4.22.
However, CVE-2020-27131 (Java Deserialization Vulnerabilities) is still not yet patched and it will be fixed in Cisco Security Manager Release 4.23.
- Ensure all systems are patched and updated and update your Cisco Security manager to the latest version.
Citrix SDWAN Center Vulnerabilities
Multiple vulnerabilities have been discovered in Citrix SD-WAN Center that, if exploited, could allow an unauthenticated attacker with network access to SD-WAN Center to perform arbitrary code execution as root.
These vulnerabilities have the following identifiers:
|CVE-2020-8271||Unauthenticated remote code execution with root privileges||CWE-23: Path Traversal||An attacker must be able to communicate with SD-WAN Center’s Management IP/FQDN|
|CVE-2020-8272||Authentication Bypass resulting in exposure of SD-WAN functionality||CWE-287: Improper Authentication||An attacker must be able to communicate with SD-WAN Center’s Management IP/FQDN|
|CVE-2020-8273||Privilege escalation of an authenticated user to root||CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)||The attacker must be an authenticated user on SD-WAN Center|
The following supported versions of Citrix SD-WAN Center are affected by these issues:
- Citrix SD-WAN 11.2 before 11.2.2
- Citrix SD-WAN 11.1 before 11.1.2b
- Citrix SD-WAN 10.2 before 10.2.8
Help AG is aware of a recent activity by threat actors weaponizing exploits to target Citrix SD-WAN Center devices.
IoC (Indicator of Compromise):
- URL: https:///[a]*/://?/collector/licensing/upload
- Ensure all systems are patched and updated. For more details, refer to the following link: https://support.citrix.com/article/CTX285061
- Monitor your network for the mentioned IoCs.
SAD DNS Flaw – CVE-2020-25705
Researchers from UC Riverside and Tsinghua University announced a new attack against the Domain Name System (DNS) called SAD DNS (Side channel AttackeD DNS) – CVE-2020-25705. This attack leverages recent features of the networking stack in modern operating systems (like Linux) to allow attackers to revive a classic attack category: DNS cache poisoning.
The researchers have shown that the current Linux kernels have a side-channel attack using predictable ICMP port-unreachable replies on non-open UDP ports, like e.g. DNS reply ports, which allows attackers to remotely detect the open ports.
To counter SAD DNS, the researchers recommend disabling outgoing ICMP responses and setting the timeout of DNS queries more aggressively.
The researchers have also worked with the Linux kernel security team for a patch that randomizes the ICMP global rate limit to introduce noises to the side channel.
Help AG is aware that threat actors have weaponized exploits to target CVE-2020-25705.
- Upgrade your Linux Kernel with https://git.kernel.org/linus/b38e7819cae946e2edf869e604af1e65a5d241c5 (included with v5.10), which uses unpredictable rate limits.
- Block the outgoing ICMP “port unreachable” messages.
- Keep your DNS software up to date.
- Configure your IDS/IPS to detect the below:
- Timing pattern of the traffic: the attack sends a burst of packets every 50ms.
- UDP port scanning.
- Wrong TxIDs for incoming DNS responses: the attack needs to brute force TxID but normal DNS responses are unlikely to present the wrong TxID value.
Help AG is aware of a recent activity by MuddyWater, an Iranian APT group, targeting UAE organizations. Adversaries are weaponizing .doc file to drop a vbs file in start-up directory, the vbs file contacting Command and Control server to get commands.
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files or attachments.
- Don’t allow Macros for unknown MS Office files.
- Enable software restriction policies and application whitelisting.
- Ensure that email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviors and IoCs.
- Block incoming and outgoing traffic from the malicious IPs list.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing/suspicious emails.
Multiple vulnerabilities in VMware ESXi, Workstation and Fusion
VMware released a security update to fix two vulnerabilities in VMware ESXi, Workstation and Fusion.
The first vulnerability tracked as CVE-2020-4004 was rated critical being 9.3 on the CVSS scale that allows a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine’s VMX process running on the host.
The second one is CVE-2020-4005, a VMX elevation-of-privilege vulnerability and rated as important with an 8.8 CVSS score. Getting this one to work requires exploitation of the other bug described above.
Patches are available for the two flaws, with download details available at VMware’s security advisory page.
- Ensure all systems are patched and updated. For more details, refer to the following link: https://www.vmware.com/security/advisories/VMSA-2020-0026.html
Expected Surge in Phishing Attacks during the Holiday Season
During the UAE national day holiday 2020, Help AG anticipates that financially motivated threat actors will target both individuals and organizations. This is due to projected consumer spending and the shift to online shopping due to the pandemic, in particular within the retail and financial services industries. Therefore, it is very likely that malicious activity will increase.
Expected activities include email phishing, phishing pages, SMS phishing, web skimming, account takeover, extortion, business email compromise and luring users to install malware, especially ransomware. Data from previous years and some data from sensors support this expectation. A recent Checkpoint Research report indicates a gradual spike in the phishing emails throughout the retail market.
- Ensure all systems are patched and updated.
- Ensure all endpoints have updated antivirus software.
- Raise awareness about coping with phishing lures for both consumers and employees.
- Maintain offline updated backups.
- Implement the required policies and procedures for all DDoS and data leakage incidents to deal with potential scenarios such as extortion.
Critical Zero-Day Vulnerability in VMware Workspace ONE – CVE-2020-4006
Multiple components of VMware Workspace ONE are affected by the recently disclosed vulnerability tracked by VMware as CVE-2020-4006. To address this zero-day critical-severity vulnerability, VMware published workarounds and scored the maximum CVSSv3 base score of 9.1.
The vulnerability could be abused by attackers to execute commands using elevated privileges on host Linux and Windows operating systems. The zero-day vulnerability is a command injection issue that affects some releases of VMware Workspace ONE Access, Access Connector, Identity Manager, and Identity Manager Connector in the administrative configurator.
|VMware Workspace One Access 20.10 ( Linux )|
|VMware Workspace One Access 20.01 ( Linux )|
|VMware Identity Manager 3.3.1 up to 3.3.3 ( Linux )|
|VMware Identity Manager Connector 3.3.2, 3.3.1 ( Linux )|
|VMware Identity Manager Connector 3.3.3, 3.3.2, 3.3.1 ( Windows )|
The Cybersecurity and Infrastructure Security Agency (CISA) also published an advisory notifying its customers of the importance of incorporating the workarounds published by VMware. The workarounds from VMware only works with VMware Workspace ONE Access, VMware Identity Manager, and VMware Identity Manager Connector.
- Review the official notification (VMSA-2020-0027) and deploy necessary workarounds as soon as possible.
- Help AG Threat Intelligence Team