Threat advisories

Top Middle East Cyber Threats – 7 June 2021

Jun-2021 7 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Researchers Confirm Windows HTTP Vulnerability Affecting WinRM Servers

During the May 2021 Patch Tuesday, Microsoft patched a critical bug identified as CVE-2021-31166 with a severity score of 9.8. This recently disclosed wormable vulnerability in the Windows IIS server’s HTTP Protocol Stack can also be used to publicly expose the WinRM (Windows Remote Management) service on unpatched Windows 10 and Server systems. The vulnerability can be exploited by threats in remote code execution (RCE) attacks, and it only affects Windows 10 and Windows Server versions 2004 and 20H2. An unauthenticated attacker could leverage the flaw to run arbitrary code on vulnerable computers.

A security researcher recently published proof-of-concept exploit code that can be used to crash unpatched systems by triggering blue screens of death using maliciously crafted packets. The CVE-2021-31166 exploits require attackers to send maliciously crafted packets to servers that process packets using the vulnerable HTTP Protocol Stack. It should be noted that the exploit code released by the security researcher is a proof-of-concept (PoC) that currently lacks auto-spreading capabilities. However, in the world we live in, the alterations are not difficult to implement.

The flaw was discovered in the HTTP Protocol Stack (HTTP.sys), which is used by the Windows IIS web server as a protocol listener to process HTTP requests. Another security researcher discovered that this flaw affects Windows 10 and Server devices that run the WinRM service (Windows Remote Management), a feature of the Windows Hardware Management feature set that uses the vulnerable HTTP.sys.

Potentially the vulnerable WinRM service is exposed on over two million Windows systems that are accessible via the Internet. The release of the exploit may enable adversaries to create their own exploits more quickly, potentially allowing remote code execution.

RECOMMENDATIONS

Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plug-ins, and document readers. Please refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Review the official notification and deploy necessary patches in the environment as soon as possible.

VMware Alerts on Critical Vulnerability in vCenter Server Installs

On May 25, VMware patched a privately reported vulnerability rated with a CVSSv3 base score of 9.8 out of 10. The vulnerability, tracked as CVE-2021-21985, affects vCenter Server 6.5, 6.7, and 7.0, according to a security advisory published by VMware. An unauthenticated attacker can exploit this vulnerability remotely in low complexity attacks that do not require user interaction.

Due to a lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server, the vSphere Client (HTML5) contains a remote code execution vulnerability. A bad actor with network access to port 443 could take advantage of this flaw to execute commands with unrestricted rights on the underlying operating system that hosts vCenter Server. In addition, VMware patched a medium severity authentication mechanism flaw identified as CVE-2021-21986 that affected the vSphere Lifecycle Manager, Virtual SAN Health Check, Site Recovery, and VMware Cloud Director Availability plug-ins.

RECOMMENDATIONS

Review the official notification (VMSA-2021-0010) and apply necessary workarounds or patches whichever is applicable as soon as possible.
Review workaround steps provided by VMware, that aim to remove the attack vector and the likelihood of exploitation by changing the impacted plugins to “incompatible.”
Review the baseline security best practices for vSphere in the vSphere Security Configuration Guide.

Agrius Ransomware

According to a recently published report, it discovered a new threat actor operating out of Iran that depended heavily on data-wiping malware to demolish its target IT infrastructure before demanding ransoms in an attempt to disguise their attacks as ransomware extortion. The threat actor, known as Agrius, has been active since early 2020, although initial attacks were focused at targets in the Middle East region, the threat actor has been active since December 2020.

Agrius used a data-wiping malware called DEADWOOD, also known as Detbosit, in the initial attacks, a tool that has previously been used by other Iranian threat actors. To obtain a foothold on a target network, DEADWOOD exploited vulnerabilities in unpatched servers, which attackers used to install the ASPXSpy web shell and then the IPSec Helper backdoor. When a target network was prepared and thoroughly infected, the Agrius group would deploy DEADWOOD, delete files and corrupt MBR partitions, then demand a ransom payment to divert the victim’s IT teams attention away from the true goal of their attacks. Agrius group made countless attempts to exploit FortiOS CVE-2018-13379 vulnerability. Aside from attempting to exploit CVE-2018-13379, Agrius was observed attempting to exploit a number of 1-day vulnerabilities in web-based applications, as well as SQL injection.

Since DEADWOOD would be detected as it was a well-known malware strain, the group created a new tool called Apostle. While the first version of Apostle failed to erase files, the group was forced to return to DEADWOOD to finish their intrusions. According to the report, a second version of the Apostle data wiper was discovered, which not only fixed the malware’s logical flaws that prevented it from wiping files, but also included a file-encryption routine, converting Apostle into fully functional ransomware.

In the past we’ve seen some reports claiming close proximity of the Agrius and n3tw0rm campaigns. The Apostle ransomware analysis offers a unique perspective on specialized attacks, drawing a solid demarcation between what began as wiper malware and later evolved into a fully functional ransomware.

RECOMMENDATIONS

Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plug-ins, and document readers. Please refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Keep antivirus signatures and engines up to date.
Enable a personal firewall on user workstations, configured to deny unsolicited connection requests.
Block the indicators of compromise within respective security controls organization wide.

Email Based Attacks by Threat Actor “NOBELIUM”

According to a recent report by Microsoft researchers, the threat actor behind the SolarWinds attacks, NOBELIUM, has launched a large-scale malicious email campaign. As per the report, a threat actor is targeting a large number of organizations, with attacks reaching a peak on May 25, 2021. The attacks, which used e-mails that appeared to be from a legitimate government entity, affected more than 150 different organizations in 24 countries. This spearphishing campaign is more effective because the attackers gained access to the entity’s Constant Contact e-mail service account first. The compromised account was used to send the fraudulent emails, which included malicious URL links.

These malicious URLs use a variety of methods to install an ISO file that allows the attackers to set up a Cobalt Strike command and control center. These ISO files are sometimes staged using the Google Firebase platform, or they are encoded within an HTML document. The use of ISO files can elude antivirus software because it avoids Microsoft’s “Mark of the Web” security approach, which was implemented with Windows XP.

The report focuses primarily on four malware families that were used, but it also highlights campaign variations in which methodologies were altered per attack scenario. NOBELIUM is able to gain persistent access to compromised systems, which is attributed to the successful deployment of malicious payloads. The successful execution of these malicious payloads could then allow NOBELIUM to carry out action-on objectives such as lateral movement, data exfiltration, and malware delivery.

The Cybersecurity and Infrastructure Security Agency (CISA) issued a notification emphasizing the importance of implementing mitigating measures to reduce the impact of this threat.

RECOMMENDATIONS

Enable cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to protect against continuously emerging attacker tools and techniques.
Enable network protection to prevent applications and users from accessing malicious domains and other malicious content on the internet.
Increase network visibility by identifying unmanaged devices on your network and onboarding them to defensive controls such as antivirus.
Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plug-ins, and document readers. Please refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Use MFA (Multi-Factor Authentication) for all services, especially webmail, virtual private networks, and accounts that access critical systems, to the extent possible.
Blocking the indicators of compromise within respective security controls organization wide.

References: