Top Middle East Cyber Threats – 6 September 2022
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
Iranian threat actors leak the code of their CodeRAT malware
The development team behind CodeRAT – a remote access trojan (RAT), has leaked the source code of their malware on GitHub after the SafeBreach Labs researchers recently analyzed a new targeted attack aimed at Farsi-speaking code developers. The attackers used a Microsoft Word document that included a Microsoft Dynamic Data Exchange (DDE) exploit along with CodeRAT.
CodeRAT allows its operators to monitor the victim’s activity on social networks and on local machines by supporting 50 commands, including taking screenshots, copying clipboard, terminating processes, analyzing GPU usage, downloading/uploading/deleting files, monitoring running processes, and executing programs.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files or attachments.
- Don’t enable macros for unknown MS Office files.
- Enable software restriction policies and application whitelisting.
- Ensure that the email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviors and indicators of compromise (IoCs).
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
- Block the IoCs within respective security controls organization wide.
Google Chrome fixes multiple vulnerabilities including a Zero-Day
Google published a security update to address multiple vulnerabilities in Chrome browser that are fixed now in Chrome latest version 105.0.5195.52 (Mac/Linux) and 105.0.5195.52/53/54(Windows).
The update includes 24 security fixes, out of which 21 were contributed by external researchers. The most severe vulnerability reported was CVE-2022-3038 with Critical risk level and described as Use After Free in Network Service. Additionally, Google fixed more vulnerabilities with 8 High, 9 Medium and 3 Low in risk level classification.
Google also published a security update to address a zero-day vulnerability in Chrome browser that is fixed now in its latest version (105.0.5195.102).
The update fixes a high vulnerability tracked as CVE-2022-3075 and described as insufficient data validation in Mojo, which refers to a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC). Google is aware that exploits for this threat exist in the wild.
RECOMMENDATIONS
-
Ensure all systems are patched and updated.
Iranian APT deploys a new data extraction tool
A range of Iranian persistent threats coming from APT35 or Charming Kitten were analyzed by researchers, leading to the discovery of a new tool used for data extraction. The HYPERSCRAPE tool was used to steal user data from Gmail, Yahoo!, and Microsoft Outlook accounts. The attacker runs HYPERSCRAPE on their own machine to download victims’ inboxes using previously acquired credentials.
HYPERSCRAPE requires the victim’s account credentials to run using a valid, authenticated user session the attacker has hijacked, or credentials the attacker has already acquired. It spoofs the user agent to look like an outdated browser, which enables the basic HTML view in Gmail. Once logged in, the tool changes the account’s language settings to English and iterates through the contents of the mailbox, individually downloading messages as .eml files and marking them unread. After the program has finished downloading the inbox, it reverts the language back to its original settings and deletes any security emails from Google. Earlier versions contained the option to request data from Google Takeout, a feature which allows users to export their data to a downloadable archive file.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files or attachments.
- Don’t enable macros for unknown MS Office files.
- Enable software restriction policies and application whitelisting.
- Ensure that the email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviors and indicators of compromise (IoCs).
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
References: