Threat advisories

Top Middle East Cyber Threats – 9 May 2022

May-2022 3 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Iranian APT Exploits CVE-2022-22954 VMware Flaw

Iran-linked Rocket Kitten APT group has been observed exploiting the recently patched CVE-2022-22954; a VMware Workspace ONE Access flaw used to deploy ‘Core Impact’ backdoor.

The CVE-2022-22954 vulnerability is a server-side template injection remote code execution issue that was rated 9.8 in severity.A malicious actor with network access can use this vulnerability to achieve full remote code execution against VMware’s identity access management.

The attacker gains initial access to an environment by exploiting a VMWare Identity Manager Service vulnerability. The attacker can then deploy a PowerShell stager that downloads the next stage. Finally, an advanced penetration testing framework—Core Impact—is injected into the memory.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Enable software restriction policies and application whitelisting.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
Block the IoCs within respective security controls organization wide.
Ensure frequent backups are in place.

Google Chrome Update Fixes Multiple Vulnerabilities

Google has released an update for Chrome browser that includes 29 security fixes. The latest version of the stable channel is now Chrome 101.0.4951.41 for Windows, Mac and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

Microsoft advises Edge users to update as well, since it has many of these vulnerabilities.

Six of the vulnerabilities are rated as “high.” Four of those are “Use after free” that can allow hackers to pass arbitrary code to a program.

RECOMMENDATIONS

Ensure all systems are patched and updated.

AvosLocker Uses New Trick to Disable Antivirus Protection

Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws.

In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability (Log4shell) using Nmap NSE script.

The entry point for the attack is believed to have been facilitated by leveraging an exploit for a remote code execution flaw in Zoho’s ManageEngine ADSelfService Plus software (CVE-2021-40539) to run an HTML application (HTA) hosted on a remote server.

The HTA executed an obfuscated PowerShell script that contains a shellcode, capable of connecting back to the C2 server to execute arbitrary commands.

The AvosLocker leak site claims to have targeted victims in multiple countries including the United Arab Emirates.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t enable macros for unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that the email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared indicators of compromise (IoCs).
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

References: