Threat advisories

Top Middle East Cyber Threats – 6 August 2020

Aug-2020 5 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Vulnerability in Linux (CVE-2020-14344)

Over the years, Linux has racked up many vulnerabilities in Red Hat Enterprise Linux, such as the recently dubbed CVE-2020-14344. An integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was implemented in libX11 before version 1.6.10. As per upstream this is security relevant when setuid programs call XIM client functions while running with elevated privileges.

Recommendations

Help AG encourages users and administrators to urgently update the vulnerable asset according to the steps provided by the manufacturer.

Cisco Products Affected by GRUB2 Arbitrary Code Execution Vulnerability

A research paper called “There is a Hole in the Boot” was made available to the public on 29 July 2020. This paper discusses a vulnerability discovered in the GRand Unified Bootloader version 2 (GRUB2) bootloader that may allow an attacker to execute arbitrary code at system boot time. This vulnerability affects multiple Cisco products that integrate a vulnerable release of the GRUB2 bootloader.

The vulnerability remains due to incorrect bounds checking of certain values parsed from the GRUB2 configuration file. An attacker could exploit this vulnerability by supplying a crafted configuration file for GRUB2 which can establish an exploitable buffer overflow condition when processing this file. A successful exploit may allow the attacker to inject arbitrary code which is executed before the targeted system loads the operating system. Exploitation of this vulnerability may allow an attacker to tamper with a secure boot process on systems protected by the Unified Extensible Firmware Interface (UEFI) secure boot feature.

Cisco is reviewing its product line to decide which products and cloud services this vulnerability could impact. Any product or service not listed in the Products Under Investigation or Vulnerable Products section of the official advisory is to be considered not vulnerable at this stage.

Recommendations

Help AG encourages users and administrators to review the official notification from Cisco and apply necessary patches as soon as possible.
Help AG recommends users and administrators to ensure that the devices eligible for upgrade have adequate memory and to confirm that the current hardware and software configurations will continue to be properly supported by the new release.

OilRig Targets Telecommunications Organizations in the Middle East

Unit 42 has reported details of an attack on telecommunications organizations in the Middle East. During the investigation, researchers found a version of the OilRig associated device dubbed RDAT using a new e-mail-based command and control (C2) platform. This tool uses a technique known as steganography to hide commands and data inside email-associated bitmap images.

In May 2020 Symantec published its research on the Greenbug Group targeting Telecommunication Organizations of South East Asia, which included attacks carried out as recently as April 2020. Palo Alto tracked similarities in the tactics and tools associated with attacks on telecommunications organization in the Middle East in April 2020 due to usage of custom PowerShell downloaders, Bitvise, Mimikatz tools and a custom backdoor tracked as RDAT. Unit 42 previously tied Greenbug to the OilRig threat group which was discovered in 2015. Researchers outlined RDAT tool used in OilRig’s operations back in 2017, but subsequent research in later stages revealed a similar sample created in 2018 using another command and control channel.

Recommendations

Do not open suspicious emails, click on unknown links or attachments. The easiest approach to check a link is by hovering over it with your mouse.
Make sure to check the file extensions of the files you downloaded. Document files do no use .EXE file format.
Do not open attachments unless you fully trust the source it came from.
Please action by blocking the attached list of indicators of compromise (attached with this email) within your respective security controls organization wide.

Critical Vulnerability in SAP NetWeaver AS Java

A vulnerability rated with a maximum CVSS score of 10 out of 10 tracked as CVE-2020-6287 was reported in SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30 to 7.50. NetWeaver is a core component of several solutions and products deployed in most SAP environments.

Responsible disclosure by Onapsis confirms that vulnerability can be exploited remotely by unauthorized attackers to fully compromise unpatched SAP systems. An unauthenticated attacker can also create a new SAP user with maximum privileges, bypass all access and authorization controls (such as segregation of duties, identity management, and GRC solutions) and gain complete control of SAP systems.

Recommendations

Help AG encourages administrators to review the SAP Security Release Notes for complete list of the affected products.
Help AG recommends its customers to update the affected products as soon as possible with the latest patches available in the SAP One Support Launchpad.
Ensure secure configuration of your SAP landscape.
Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.
Scan SAP systems for all known vulnerabilities, such as missing security patches, dangerous system configurations, and vulnerabilities in SAP custom code.

Microsoft Security Updates

Microsoft patched 123 security flaws across 13 products as part of its July 2020 updates this Tuesday. This recent bulletin from Microsoft plugs 18 Critical and 105 important severity vulnerabilities amongst 13 products. None of the vulnerabilities in the July 2020 patch have been identified as being exploited in the real world.

A bug (CVE-2020-1350) in the Windows Server DNS component was the most serious flaw patched this month. Discovered by researchers at Check Point, the vulnerability has been scored ten out of ten, and investigators claim that it can be easily weaponized to create wormable (self-propagating) malware. Customers with automatic updates turned-on need not take any further action to remediate this vulnerability.

Other notable vulnerabilities include remote code vulnerabilities in:

The RemoteFX vGPU component of Microsoft’s Hyper-V hypervisor technology: CVE-2020-1041, CVE-2020-1040, CVE-2020-1032, CVE-2020-1036, CVE-2020-1042, CVE-2020-1043
The Jet Database Engine included with some Office applications: CVE-2020-1400, CVE-2020-1401, CVE-2020-1407
Microsoft Word: CVE-2020-1446, CVE-2020-1447, CVE-2020-1448
Microsoft Excel: CVE-2020-1240
Microsoft Outlook: CVE-2020-1349
Microsoft SharePoint: CVE-2020-1444
Windows LNK shortcut files: CVE-2020-1421
Various Windows graphics components: CVE-2020-1435, CVE-2020-1408, CVE-2020-1412, CVE-2020-1409, CVE-2020-1436, CVE-2020-1355

Recommendations

Help AG encourages users and administrators to review the July 2020 Release Notes and Deployment Information for more details and apply the necessary patches as soon as possible.
We recommend that administrators review the official workaround released by Microsoft where CVE-2020-1350 cannot be patched immediately.

References