Threat advisories

Top Middle East Cyber Threats – 4 October 2022

Oct-2022 8 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Threat actors leverage unpatched Atlassian Confluence servers to deploy crypto miners

An ongoing crypto mining campaign has been observed targeting Atlassian Confluence servers affected by the CVE-2022-26134 vulnerability. The vulnerability with CVSS score of 9.8 is being actively exploited for illicit cryptocurrency mining on unpatched installations. The unpatched systems if successfully exploited, could be prone to malicious attacks, such as a complete domain takeover of the infrastructure and the deployment of information stealers, remote access trojans (RATs), and ransomware.

In one of the attack patterns observed, the vulnerability was leveraged to download and run a shell script “ro.sh” on the victim’s machine. Then the script was used to fetch a second shell script “ap.sh” which was in turn used to perform multiple actions, including the update of the path variable, downloading the curl utility, disabling the iptables or changes the firewall policy action to ACCEPT and flushing all the firewall rules. The script also downloads a binary file, which exploits the PwnKit vulnerability to escalate the privilege to the root user. Finally, it downloads the hezb malware and kills processes that are associated with other competing coin miners.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and indicators of compromise (IoCs).
Block the IoCs within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Developer leaks LockBit 3.0 Black Builder online

In June, the LockBit ransomware operation released version 3.0 of their encryptor, codenamed LockBit Black. Recently, it was leaked online by a developer working for the LockBit threat group. Technical analysis of the code shows that the leaked LockBit 3.0 builder allows anyone to build the executables required to launch their own operation.

The builder consists of 4 files: an encryption key generator, a builder, a modifiable configuration file, and a batch file to build all the files. ‘Build.bat’ creates an RSA public/private key pair by executing Keygen.exe, and Builder.exe that generates a LockBit 3.0 ransomware using the generated key pair. The ‘config.json’ can be used to set values for generating the encryptor and decryptor. By modifying the configuration file, hackers can customize it according to their requirements and modify the created ransom note to link to their own infrastructure. ‘Builder.exe’ is used to generate LockBit 3.0 Encryptor and Decryptor. Finally, ‘Keygen.exe’ generates key pairs required for encryption.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and indicators of compromise (IoCs).
Block the IoCs within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Attackers use malicious OAuth applications to abuse cloud email services to spread spam

It has been observed that attackers are making use of rogue OAuth applications deployed on compromised cloud tenants to take control of Microsoft Exchange servers and spread spam.

In one of the attacks, the threat actor launched credential stuffing attacks against high-risk accounts that didn’t have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access. The unauthorized access to the cloud tenant hence allowed the attacker to create a malicious OAuth application, grant it elevated permissions, and then modify Exchange Server settings to allow inbound emails from specific IP addresses to be routed through the compromised email server. This allowed them to send spam emails. The attacker’s goal was to spread misleading spam messages about sweepstakes, to trick recipients into signing up for recurring paid subscriptions.

RECOMMENDATIONS

Follow security practices that strengthen account credentials such as enabling MFA.
Enable conditional access policies and continuous access evaluation.
Ensure alerts are set for detecting risky OAuth Apps.
Ensure revoking/banning of an app from the OAuth apps page once confirmed to be suspicious.
Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Google Chrome update fixes multiple vulnerabilities

Google published a security update to address multiple vulnerabilities in Chrome browser that are fixed now in Chrome latest version i.e Chrome 106.0.5249.61 ( Mac/ linux) and 106.0.5249.61/62 (Windows).

The update includes 20 security fixes, out of which 16 were contributed by external researchers. Five are rated ‘high’ severity, eight are of ‘medium’ severity, and three are of ‘low’ severity. Some of these could lead to arbitrary code execution, denial of service, or data corruption. Four of these are use-after-free vulnerabilities that impact browser components such as CSS, Survey, and Media. The update also fixes three medium severity use-after-free vulnerabilities, which impact three other Chrome components: Assistant, Import, and Logging.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Witchetty espionage group targets Middle East and Africa

A cyber espionage group named “Witchetty” has been observed targeting Middle East and Africa using updated toolset. The group also known as “LookingFrog” uses a backdoor Trojan (Backdoor.Stegmap) that employs steganography, a technique where malicious code is hidden within an image. In some cases, they hid the malware in a Microsoft Windows logo. Furthermore, they use two pieces of malware: one known as X4 and a second-stage payload known as LookBack.

Their main goal is espionage, finding computers on the network, stealing data and exfiltrating it out of the organization. Between February and September 2022, the group targeted the governments of two Middle Eastern countries and the stock exchange of an African nation. The attackers exploited the ProxyShell and ProxyLogon vulnerabilities to install web shells on public-facing servers before stealing credentials, moving laterally across networks, and installing malware on other computers.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and indicators of compromise (IoCs).
Block the IoCs within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

New Microsoft Exchange zero-days actively exploited in attacks

Threat actors have been observed exploiting previously undisclosed flaws in fully patched Microsoft Exchange to achieve remote code execution on affected systems.

The two vulnerabilities, which are formally yet to be assigned CVE identifiers, are being tracked by the Zero Day Initiative known as ZDI-CAN-18333 (CVSS score: 8.8) and ZDI-CAN-18802 (CVSS score: 6.3). The attackers are chaining these two zero-days to deploy Chinese Chopper web shells to gain a foothold in the victim’s systems, enabling adversaries to drop web shells and carry out lateral movements across the compromised network. The user agent used to install the web shells belongs to Antsword, a Chinese-based open-source website admin tool with web shell management support.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and indicators of compromise (IoCs).
Block the IoCs within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.
As temporary workaround, it’s recommended to add a rule to block requests with indicators of compromise using the URL Rewrite Rule module for IIS servers –

In Autodiscover at FrontEnd, select tab URL Rewrite, and then select Request Blocking. Add string “.*autodiscover\.json.*\@.*Powershell.*” to the URL Path, and Condition input: Choose {REQUEST_URI}

Admins who want to check if their Exchange servers have already been compromised using this exploit can run the following PowerShell command to scan IIS log files for indicators of compromise:

Get-ChildItem -Recurse -Path -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200’

References: