Top Middle East Cyber Threats – 5 July 2022

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

New NTLM Relay Attack Lets Adversaries Take Control Over Windows Domain

A new kind of Windows NTLM relay attack dubbed DFSCoerce has been discovered and it uses MS-DFSNM, Microsoft’s Distributed File System, to completely take over a Windows domain.

The DFSCoerce script is based on the PetitPotam exploit, using MS-DFSNM, a protocol that allows the Windows Distributed File System (DFS) to be managed over an RPC interface. Windows servers, including domain controllers, are coerced into authenticating with a relay under an attacker’s control, letting threat actors potentially take over an entire domain.

You are potentially vulnerable to this attack if you are using Active Directory Certificate Services (AD CS) with any of the following services:

• Certificate Authority Web Enrollment
• Certificate Enrollment Web Service

RECOMMENDATIONS

• Ensure all systems are patched and updated.
• Refer to Microsoft’s released advisory on mitigating the PetitPotam NTLM relay attack. The mitigations can be found here.

Google Chrome June Update Fixes Multiple Vulnerabilities

Google published a security update to address multiple vulnerabilities in Chrome browser that are fixed now in Chrome latest version (103.0.5060.53).

The update includes 14 security fixes – 9 of them were contributed by external researchers. The most severe vulnerability reported is CVE-2022-2156 with Critical risk level and described as Use after free in Base.

Google also fixed 2 High CVEs, the first one is CVE-2022-2157, a Use after free vulnerability in Interest groups and the second is CVE-2022-2158, a type Confusion in V8.

RECOMMENDATIONS

• Ensure all systems are patched and updated.

New Malware Lyceum Suicide Drone Discovered

A new malware associated with the Iranian SiameseKitten (Lyceum) group has been discovered with medium-high confidence. A file is downloaded from a domain registered on June 6th which is a reverse shell that impersonates an Adobe update. The reverse shell is dropped by a parent file signed with a fake Microsoft certificate. They are also leveraging a PDF document and an executable to establish persistence. It is then followed by communication with a previously unknown C2 server.

RECOMMENDATIONS

• Ensure all systems are patched and updated.
• Avoid clicking or opening untrusted or unknown links, files or attachments.
• Don’t enable macros for unknown MS Office files.
• Enable software restriction policies and application whitelisting.
• Ensure that the email server is configured to block any suspicious attached files.
• Enforce the Restricted PowerShell script execution policy for end users.
• Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
• Block the IoCs within respective security controls organization wide.
• Ensure frequent backups are in place.
• Educate employees about detecting and reporting phishing / suspicious emails.

Microsoft Exchange Servers Worldwide Hit By Stealthy New Backdoor

A stealthy new malware Dubbed SessionManager has been discovered that threat actors have been using for over a year to backdoor Microsoft Exchange servers after they have been hacked. The malware poses as a legitimate module for Internet Information Services (IIS), the web server installed by default on Exchange servers. 34 servers belonging to 24 organizations have been discovered to be infected with SessionManager since March 2021. It has so far hit government and non-government organizations in Africa, South Asia, Europe and the Middle East. The backdoor is believed to have been leveraged in previous attacks by the Gelsemium threat actor as part of a worldwide espionage operation.

Once dropped into the victim’s system, the threat actors can gain access to company emails, update further malicious access by installing other types of malware or manage compromised servers. The malware is capable of dropping and managing arbitrary files on compromised servers, running remote command execution on backdoored devices, connecting to endpoints within the victim’s local network and manipulating the network traffic.

RECOMMENDATIONS

• Ensure all systems are patched and updated.
• Avoid clicking or opening untrusted or unknown links, files or attachments.
• Don’t enable macros for unknown MS Office files.
• Enable software restriction policies and application whitelisting.
• Ensure that the email server is configured to block any suspicious attached files.
• Enforce the Restricted PowerShell script execution policy for end users.
• Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
• Block the IoCs within respective security controls organization wide.
• Ensure frequent backups are in place.
• Educate employees about detecting and reporting phishing / suspicious emails.

Cisco Secure Email Vulnerability Allows Attackers To Bypass Authentication

A critical vulnerability has been fixed by Cisco affecting Email Security Appliance (ESA) and Secure Email and Web Manager. The vulnerability can allow attackers to bypass authentication and login into the web management interface of Cisco email gateway appliances with non-default configurations.

The security flaw, tracked as CVE-2022-20798 is caused due to improper authentication checks when an affected device uses Lightweight Directory Access Protocol (LDAP) for external authentication. This bug only affects appliances configured to use external authentication and LDAP as the authentication protocol. Since the external authentication feature is disabled by default, only devices with non-default configurations are impacted.

To check if external authentication is enabled on your appliance, log into the web-based management interface, go to System Administration > Users, and look for a green checkbox next to “Enable External Authentication.”

RECOMMENDATIONS

• Ensure all systems are patched and updated. There is a workaround that addresses this vulnerability. Administrators can disable the anonymous binds on the external authentication server.

Makemoney Malvertising Campaign Adds Fake Update Template

A malvertising campaign has been observed leading to a fake Firefox update. The template contains a couple of scripts that download an encrypted payload which consists of a loader which retrieves an Adware detected as BrowserAssistant.

The campaign has some similarities with the campaigns of FakeUpdates (SocGholish) threat actors whose major modus operandi relies on social engineering leveraging fake but convincing update notifications.

RECOMMENDATIONS

• Ensure all systems are patched and updated.
• Avoid clicking or opening untrusted or unknown links, files or attachments.
• Don’t enable macros for unknown MS Office files.
• Enable software restriction policies and application whitelisting.
• Ensure that email server is configured to block any suspicious attached files.
• Enforce the Restricted PowerShell script execution policy for end users.
• Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
• Block the IoCs within respective security controls organization wide.
• Ensure frequent backups are in place.
• Educate employees about detecting and reporting phishing / suspicious emails.

Microsoft Fixes 55 Vulnerabilities Including Windows Zero-Day Follina

Microsoft has released 55 security fixes that resolve critical issues including the Follina zero-day flaw in Windows as part of its June Patch Tuesday. 3 are rated Critical, 51 are rated Important, and 1 is rated Moderate in severity. The fixes address CVEs in Microsoft Windows and Windows Components; .NET and Visual Studio; Microsoft Office and Office Components; Microsoft Edge (Chromium-based); Windows Hyper-V Server; Windows App Store; Azure OMI, Real Time Operating System, and Service Fabric Container; SharePoint Server; Windows Defender; Windows Lightweight Directory Access Protocol (LDAP); and Windows Powershell. 

Some of the most critical vulnerabilities resolved in this update are:

• CVE-2022-30190
• CVE-2022-30136
• CVE-2022-30163
• CVE-2022-30139
• CVE-2022-30164
• CVE-2022-30157
• CVE-2022-30165

RECOMMENDATIONS

• Ensure all systems are patched and updated. The patch for the File Server Shadow Copy Agent Service (RVSS) only affects systems where the File Server VSS Agent Service is installed. Please note, the patch alone isn’t enough on those systems. Admins must install the updates on Application and File Servers. Failure to do so could negatively impact backups and cause them to fail.

References:

• • • https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
    • https://chromereleases.googleblog.com/2022/06/stable-channel-update-for-desktop_21.html
    • https://www.clearskysec.com/wp-content/uploads/2022/06/Lyceum-suicide-drone-23.6.pdf
    • https://securelist.com/the-sessionmanager-iis-backdoor/106868/
    • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-esa-auth-bypass-66kEcxQD
    • https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/
    • https://chromereleases.googleblog.com/2022/05/stable-channel-update-for-desktop_24.html
    • https://msrc.microsoft.com/update-guide/vulnerability
    • https://support.microsoft.com/en-us/topic/kb5015527-shadow-copy-operations-using-vss-on-remote-smb-shares-denied-access-after-installing-windows-update-dated-june-14-2022-6d460245-08b6-40f4-9ded-dd030b27850b