Threat advisories

Top Middle East Cyber Threats – 6 June 2022

Jun-2022 4 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Google Chrome Update Fixes Multiple Vulnerabilities

Google published a security update to address multiple vulnerabilities in Chrome browser that are fixed now in the latest version of Chrome (102.0.5005.61).

The update includes 32 security fixes, out of which 24 were contributed by external researchers. The most severe vulnerability reported was CVE-2022-1853 with Critical risk level and described as use after free in Indexed DB.

Additionally, Google fixed more vulnerabilities, 8 of which were classified as High, 9 as Medium, and 6 as Low in risk level.

RECOMMENDATIONS

Ensure all systems are patched and updated.

ChromeLoader Malware Threatens Browsers Worldwide

The number of ChromeLoader malware detections have increased in May, causing browser hijacking to become a widespread threat.

ChromeLoader is a browser hijacker that targets Windows and macOS by using PowerShell and bash script to modify the victim’s web browser settings to show search results that promote unwanted software, fake giveaways and surveys, in addition to adult games and dating sites.

The operators of the hijacker use a malicious ISO archive file to infect their victims. The ISO masquerades as a cracked executable for a game or commercial software, so the victims likely download it themselves from torrent or malicious sites.

The infection chain on macOS is similar, but instead of ISO, the threat actors use DMG (Apple Disk Image) files.

Moreover, instead of the installer executable, the macOS variant uses an installer bash script that downloads and decompresses the ChromeLoader extension onto the “private/var/tmp” directory.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
Block the IoCs within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

New Zero-Day Follina Found in Microsoft Office

A new zero-day flaw, named Follina, was found in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems. The exploit abuses the remote template feature in Microsoft Word.

The exploit first loads a hyper text markup language (HTML) file from a remote webserver and then leverages the MSDT diagnostics tool handler i.e ms-msdt MSProtocol URI scheme to execute Windows PowerShell code.

The exploit currently evades Microsoft’s Defender for Endpoint. The exploit has so far been successful on Office 2013 and 2016, patched version of Office 2019 and 2021.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared IoCs.
Block the IoCs within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.
If utilizing Microsoft Defender’s Attack Surface Reduction (ASR) rules in your environment, activating the rule “Block all Office applications from creating child processes” in Block mode will prevent this from being exploited. However, if you’re not yet using ASR, you may wish to run the rule in Audit mode first and monitor the outcome to ensure there is no adverse impact on end users.

Another option is to remove the file type association for ms-msdt (can be done in Windows Registry HKCR:\ms-msdt or with Kelvin Tegelaar’s PowerShell snippet). When the malicious document is opened, Office will not be able to invoke ms-msdt thus preventing the malware from running. Be sure to make a backup of the registry settings before using this mitigation.

Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird

Multiple vulnerabilities have been patched in Mozilla Firefox, Firefox ESR, and Thunderbird. These vulnerabilities could be exploited to achieve arbitrary code execution on affected systems. The scope of attack depends on privileges of user impacted.

Following versions of systems are affected: