Threat advisories

Top Middle East Cyber Threats – 5 July 2021

Jul-2021 7 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Linux Variant of Darkside Ransomware

The characteristics of the Linux version of Darkside ransomware, which was one of the most active ransomware strains in the previous quarter and was responsible for the attack on the US Colonial Pipeline, were revealed in a recent analysis report. Unlike most Linux ransomwares, Darkside encrypts files with crypto libraries rather than password-protected zip files. The group appears to have completed the development of a Linux version of its malware that targets ESXi servers that host VMware virtual machines.

The malware was designed in such a way that the root path of the ESX server machines is included in its default configuration. In ESX servers, the extensions ‘vmdk,’ ‘log,’ ‘vmem,’ and ‘vmsn’ are used to save information, data, and logs for virtual machines. The malware is insightful in the sense that it prints the majority of the actions it performs to the screen, which is unusual for a malware. The malware is written in C++ and makes use of several open-source libraries that were imported and compiled into a single binary alongside the malware code.

To communicate with an infected machine via its Command and Control, the malware employs libcurl functions that were compiled with the rest of the code (C&C). The malware can also be used to shut down virtual machines by running esxcli commands, which is a special console on ESX servers that allows it to interact with virtual machines from the command line. According to the report, the actor exfiltrated information such as username, OS version, hostname, build, and more.

RECOMMENDATIONS

Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Ensure that the systems are correctly configured and that the security features are enabled.
Disable ports and protocols that are not used for business purposes (e.g., Remote Desktop Protocol [RDP] – Transmission Control Protocol [TCP] Port 3389).
Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
Use multi-factor authentication (MFA) for all services, especially webmail, virtual private networks, and accounts that access critical systems, to the extent possible.
Block the indicators of compromise within respective security controls organization wide.

Active Exploitation of the Cisco ASA Cross-Site Scripting Vulnerability (CVE-2020-3580)

Security researchers recently reported an exploit code for the Cisco ASA CVE-2020-3580 vulnerability, a vulnerability with a CVSS score of 6.1, shortly after which Help AG discovered another report indicating that threat actors are actively exploiting the vulnerability on affected Cisco ASA devices.

In October 2020, Cisco disclosed the vulnerability and issued a patch. The initial patch for CVE-2020-3580, however, was incomplete, and a follow-up fix was released in April 2021. According to the official notification, this vulnerability allows an unauthenticated threat actor to send targeted phishing emails or malicious links to a user of a Cisco ASA device, allowing the user’s browser to execute JavaScript commands. An attacker could leverage a successful exploit to run arbitrary code in the context of the interface or gain access to sensitive browser-based information.

RECOMMENDATIONS

Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plug-ins, and document readers. Please refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Comply with the official notification and patch vulnerable Cisco ASA devices as soon as possible so that threat actors do not exploit them, assuming that threat actors are actively exploiting the vulnerability at this stage.
Ensure that the systems are correctly configured and that the security features are enabled.
Disable ports and protocols that are not used for business purposes (e.g., Remote Desktop Protocol [RDP] – Transmission Control Protocol [TCP] Port 3389).
Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
Use multi-factor authentication (MFA) for all services, especially webmail, virtual private networks, and accounts that access critical systems, to the extent possible.

PoC exploit for CVE-2021-1675 RCE started circulating online

Proof-of-concept exploit code for the CVE-2021-1675 flaw has been published online, the flaw impacts the Windows Print Spooler service and could be exploited to compromise Windows systems.

CVE-2021-1675 was initially classified as local privilege escalation vulnerability, but on 29 June 2021 Microsoft reviewed the issue and labeled it as a remote code execution flaw. This was done after three Chinese researchers found a way to exploit it as RCE rather than LPE.

Microsoft addressed the flaw with the release of Microsoft June 2021 Patch Tuesday security updates. However, the patch issued by Microsoft does not solve the RCE vulnerability as Rapid7 researchers have confirmed that public exploits work against fully patched Windows Server 2019 installations.

The vulnerability resides in Print Spooler (spoolsv.exe) service that manages the printing process, it impacts all Windows OS versions.

RECOMMENDATIONS

Prioritize timely patch of all critical vulnerabilities.
Disable print spooler on servers that don’t use them, especially crown jewel servers as print spooler had multiple high/critical severity vulnerabilities in the past and there are multiple ways to abuse print spooler that each require certain configuration/requirements. There are scripts to automate this on multiple machines such as https://github.com/gtworek/PSBits/blob/master/Misc/StopAndDisableDefaultSpoolers.ps1
For machines where disabling the print spooler service is not an option, you can deny client connections to the spooler. This can be done on the whole/subset of environment using GPO by setting Computer Configuration -> Administrative Templates -> Printers -> Allow Print Spooler to accept client connections to disabled. Then restart the spooler service.
On machines which you can not disable print spooler or limit client connection over RPC, the following config file can be added to Sysmon for detection. https://github.com/LaresLLC/CVE-2021-1675/blob/main/CVE-2021-1675.xml
If you need to hunt for the RCE execution, use Sysmon or EDR to check any drivers loaded by C:\Windows\System32\spoolsv.exe. Any unknown driver loaded should be investigated.

Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527

On 29 June 2021, a proof-of-concept (POC) for PrintNightmare was published on GitHub. The code was made available for a short period of time and was found to be actively used against vulnerable systems before being removed within a few hours. We believe an attacker could use the proof-of-concept to exploit the CVE-2021-34527 vulnerability and gain control of a vulnerable system.

The CERT Coordination Center (CERT/CC) had also issued a VulNote for CVE-2021-1675, advising system administrators to disable the Windows Print Spooler service in Domain Controllers and non-printing systems, according to a release from the Cybersecurity Infrastructure and Security Administration (CISA).

A remote code execution vulnerability exists when the Windows Print Spooler service incorrectly performs privileged file operations. In the meantime, Microsoft issued another advisory on PrintNightmare, assigning a new CVE (CVE-2021-34527) and implying a new attack vector in an attempt to bridge the gap. An attacker who successfully exploits this vulnerability may be able to execute arbitrary code with SYSTEM privileges. After that, an attacker could install programmes, change or delete data, or create new accounts with full user privileges. Microsoft connects CVE-2021-1675 to CVE-2021-34527 and describes the situation as evolving. CVE-2021-34527 is similar to but distinct from CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx().

CVE-2021-34527 dates back to the June 2021 patch updates and affects domain controllers in all versions of Windows.

RECOMMENDATIONS

Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plugins, and document readers. Please refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Follow the official notification and refer to the “Workaround” section for information on how to help protect your system from this vulnerability.
Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
Use multi-factor authentication (MFA) for all services, especially webmail, virtual private networks, and accounts that access critical systems, to the extent possible.

References: