Top Middle East Cyber Threats – 4 April 2022

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Microsoft addresses vulnerabilities in .NET and PowerShell

Microsoft released an advisory providing information about two vulnerabilities in .NET 5.0 and .NET Core 3.1 and PowerShell 7.2, 7.1 and 7.0.

The first CVE, tracked as CVE-2022-24512, is a Remote Code Execution vulnerability that exists in PowerShell 7.2, 7.1 and 7.0 where a stack buffer overrun occurs in Double Parse routine.

The Second vulnerability CVE-2020-8927 exists in .NET 5.0 and .NET Core 3.1 where a buffer overflow exists in the Brotli library versions prior to 1.0.8.

The vulnerability affects PowerShell 7 prior to the following versions:

RECOMMENDATIONS

• Ensure all systems are patched and updated. System administrators are advised to update PowerShell 7 to an unaffected version.

EXOTIC LILY works as Initial Access Broker for ransomware gangs

EXOTIC LILY is an initial access broker and a financially motivated group whose activities appear to be closely linked to data exfiltration and deployment of ransomware such as Conti and Diavol.

Researchers found the adversaries were sending more than 5,000 emails a day to 650 targeted organizations globally in different industries such as IT, cybersecurity and healthcare.

The threat actor is known to use malicious .iso files and exploit zero days such as CVE-2021-40444 as an initial access vector.

Recently, the group found to be delivering ISO files with a DLL containing a custom loader that can be recognized by its use of a unique user-agent “bumblebee”. The malware uses WMI to collect various system details such as OS version, username and domain name, which are then exfiltrated in JSON format to a C2. In response, the C2 sends multiple “tasks”, which include execution of shellcode, dropping and running executable files.

RECOMMENDATIONS

• Ensure all systems are patched and updated.
• Avoid clicking or opening untrusted or unknown links, files or attachments.
• Don’t enable macros for unknown MS Office files.
• Enable software restriction policies and application whitelisting.
• Ensure that the email server is configured to block any suspicious attached files.
• Enforce the Restricted PowerShell script execution policy for end users.
• Monitor your network for abnormal behaviours and indicators of compromise (IoCs).
• Block the IoCs within respective security controls organization wide.
• Ensure frequent backups are in place.
• Educate employees about detecting and reporting phishing / suspicious emails.

APT35 automates initial access using ProxyShell

Researchers shared a report recently regarding APT35 TTPs, a threat group sponsored by the Iranian government that conducts long-term, resource-intensive operations to collect strategic intelligence.

The adversary exploits Microsoft Exchange ProxyShell vulnerabilities to gain initial access and follows it with further post-exploitation activities, which include web shells, credential dumping, and specialized payloads.

RECOMMENDATIONS

• Ensure all systems are patched and updated.
• Avoid clicking or opening untrusted or unknown links, files or attachments.
• Don’t enable macros for unknown MS Office files.
• Enable software restriction policies and application whitelisting.
• Ensure that the email server is configured to block any suspicious attached files.
• Enforce the Restricted PowerShell script execution policy for end users.
• Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
• Block the IoCs within respective security controls organization wide.
• Ensure frequent backups are in place.
• Educate employees about detecting and reporting phishing / suspicious emails.

Google Chrome update fixes Zero-Day vulnerability

Google published a security update to address a high severity vulnerability in Chrome browser that is being actively exploited in the wild.

Tracked as CVE-2022-1096, the zero-day flaw relates to a type confusion vulnerability in the V8 JavaScript engine.

Type confusion errors, which arise when a resource (e.g., a variable or an object) is accessed using a type that’s incompatible with what was originally initialized, could have serious consequences in languages that are not memory safe like C and C++, enabling a malicious actor to perform out-of-bounds memory access.

RECOMMENDATIONS

• Ensure all systems are patched and updated.

Purple Fox improves malware arsenal

The operators of the Purple Fox malware have retooled their malware arsenal with a new variant of a remote access trojan called FatalRAT.

FatalRAT is a C++ based implant designed to run commands and exfiltrate sensitive information back to a remote server. The RAT is responsible for loading and executing the auxiliary modules based on checks performed on the victim systems. 

Furthermore, Purple Fox, which comes with a rootkit module, also comes with support for five different commands, including copying and deleting files from the kernel as well as evading antivirus engines by intercepting calls sent to the file system. 

The attackers distribute their malware using disguised software packages that encapsulate the loader. They use popular legitimate application names like Telegram, WhatsApp, Adobe, and Chrome to hide their malicious package installers. 

RECOMMENDATIONS

• Ensure all systems are patched and updated.
• Avoid clicking or opening untrusted or unknown links, files or attachments.
• Don’t enable macros for unknown MS Office files.
• Enable software restriction policies and application whitelisting.
• Ensure that the email server is configured to block any suspicious attached files.
• Enforce the Restricted PowerShell script execution policy for end users.
• Monitor your network for abnormal behaviours and indicators of compromise.
• Ensure frequent backups are in place.
• Educate employees about detecting and reporting phishing / suspicious emails.

VMware addresses vCenter Server information disclosure vulnerability

VMware published a security update to address an information disclosure vulnerability in VMware vCenter Server and VMware Cloud Foundation (Cloud Foundation).

The vulnerability tracked as CVE-2022-22948 with CVSS 5.5 is an information disclosure vulnerability due to improper permission of files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information.

To remediate CVE-2022-22948 please apply the patches listed in the ‘Fixed Version’ column here.

RECOMMENDATIONS

• Keep all systems are patched and updated.

Google Chrome update fixes multiple vulnerabilities

Google published an update for Chrome browser with a number of improvements and a total of 28 security fix in its latest version 100.0.4896.60.

Below is a list of vulnerabilities contributed by external researchers and addressed in this update:

RECOMMENDATIONS

• Ensure all systems are patched and updated.

VMware addresses Spring Expression Resource Access Vulnerability

VMware released a security update to address a vulnerability in Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions.

When using the routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in access to local resources.

Spring Cloud is a collection of ready-to-use components which are useful in building distributed applications in an enterprise. As a framework, it is widely used across industries by various companies.

Proof-of-concept (PoC) code is already readily available on the internet showing how to inject unauthorised Java code into inbound Spring Cloud Function requests, and how to use that code to run an unwanted program.

Users of affected versions should upgrade to 3.1.7, 3.2.3. 

RECOMMENDATIONS

• Ensure all systems are patched and updated.

References:

• • • • https://github.com/PowerShell/Announcements/issues/30
      • https://github.com/PowerShell/Announcements/issues/29
      • https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/
      • https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
      • https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html
      •  https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html
      • https://www.vmware.com/security/advisories/VMSA-2022-0009.html
      • https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
      • https://tanzu.vmware.com/security/cve-2022-22963