Threat advisories

Top Middle East Cyber Threats – 9 Nov 2020

8 min to read
Top Middle East Cyber Threats – 9 Nov 2020

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

North Korean Advanced Persistent Threat Focus: Kimsuky

US-Cert shared an advisory that describes the tactics, techniques, and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky—against worldwide targets—to gain intelligence on various topics of interest to the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.

Kimsuky uses various spear phishing and social engineering methods to obtain initial access to victim networks. The other methods for obtaining initial access include login-security-alert-themed phishing emails, watering hole attacks, distributing malware through torrent sharing sites, and directing victims to install malicious browser extensions.

Kimsuky uses BabyShark malware and PowerShell or the Windows Command Shell for Execution.

After analyzing the report we found some IoCs (Indicators of Compromise) that could be related to Dubai, indicating that the United Arab Emirates might have been targeted as well.

Recommendations

  • Ensure all systems are patched and updated.
  • Avoid clicking or opening untrusted or unknown links, files, or attachments.
  • Don’t allow Macros for unknown MSOffice files.
  • Enable software restriction policies and application whitelisting.
  • Ensure that email server is configured to block any suspicious attachments.
  • Enforce the Restricted PowerShell script execution policy for end users.
  • Monitor your network for abnormal behaviors and shared IoCs.
  • Educate employees about detecting and reporting phishing/suspicious emails.

WordPress Patches Multiple Vulnerabilities

WordPress released a 5.5.2 update to patch 10 security bugs including a vulnerability that could allow an unauthenticated attacker to execute remote code on systems hosting the vulnerable website. Affected WordPress versions include 5.5.1 and earlier.

WordPress also fixed other vulnerabilities such as cross-site scripting flaw, improper access control bug and a cross-site request forgery vulnerability – can each be exploited by a non-authenticated user via the internet. Out of these vulnerabilities, the cross-site scripting flaw is potentially the most dangerous. A successful attack lets a remote attacker steal sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Recommendations

  • Ensure all WordPress websites are patched and updated. Latest WordPress version can be downloaded from WordPress.org, or you can update from your Dashboard, navigate to Updates and click on Update Now. Please refer to the following link for further details: https://wordpress.org/support/article/updating-wordpress/

Windows kernel zero-day exploited in the wild

Security researchers have disclosed a zero-day EoP (Elevation of Privileges) vulnerability in the Windows operating system that is currently under active exploitation.

Windows zero-day (tracked as CVE-2020-17087) was used as part of a two-punch attack, together with another Chrome zero-day (tracked as CVE-2020-15999) that was fixed in October.

The Chrome zero-day was used to allow attackers to run malicious code inside Chrome, while the Windows zero-day was the second part of this attack, allowing threat actors to escape Chrome’s secure container and run code on the underlying operating system.

The zero-day is expected to be patched on November 10, which is the date of Microsoft’s next Patch Tuesday.

Recommendations

  • Keep your Chromium based browsers up to date (Such as: Google Chrome, Microsoft Edge and Opera).
  • Ensure to patch and update your windows systems regularly.
  • Enable software restriction policies and application whitelisting.
  • Monitor your network for abnormal behaviors and unauthenticated privileged access.
  • Log Windows, proxy, firewall, AV, and DNS queries to aid in incident response if necessary.

Oracle WebLogic RCE Flaw Update

Oracle issued an out-of-band security update to address a critical remote code execution (RCE) vulnerability, tracked as CVE-2020-14750, which affects several versions of Oracle WebLogic Server.

The advisory states that this vulnerability is related to the CVE-2020-14882 flaw that was addressed in the October 2020 Critical Patch Update. 

The vulnerability could be exploited by unauthenticated attackers via HTTP without user interaction.

Companies that run WebLogic servers are now advised to install the additional CVE-2020-14750 patch to protect from both the original CVE-2020-14882 exploit and its bypass.

Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.

Recommendations

Google patches second Chrome zero-day

Google has released a security update recently for its Chrome web browser that patches ten security bugs, including one zero-day vulnerability identified as CVE-2020-16009 that is currently actively exploited in the wild.

This is the second Chrome zero-day that Google found exploited in the wild in the past two weeks.

On October 20, Google also released a security update for Chrome to patch the first 0-day vulnerability CVE-2020-15999 that was utilized together with a Windows zero-day (CVE-2020-17087).

The Chrome zero-day was used to execute malicious code inside Chrome, while the Windows zero-day was used to elevate the code’s privileges and attack the underlying Windows OS.

Recommendations

  • Ensure all systems are patched and updated. It is advised to update your Chrome browser to version 86.0.4240.183 or later.
  • Ensure all other Chromium based Browsers such as (Microsoft Edge and Opera) are up to date.

UNC1945 Exploiting Oracle Solaris Zero-Day

Threat actor “UNC1945 Group” is using a zero-day vulnerability in the Oracle Solaris operating system (CVE-2020-14871) as part of its intrusions into corporate networks.

Regular targets of UNC1945 attacks included the likes of telecommunications, financial, and consulting companies.

The zero-day is a vulnerability in the Solaris Pluggable Authentication Module (PAM) that allowed UNC1945 to bypass authentication procedures and install a backdoor named SLAPSTICK on internet-exposed Solaris servers. The hackers then used this backdoor as an entry point to launch reconnaissance operations inside corporate networks and move laterally to other systems.

ATT&CK Tactic CategoryTechniques
Initial Access

T1133 External Remote Services

T1190 Exploit Public-Facing Application

Execution

T1059 Command and Scripting Interpreter

T1059.001 PowerShell

T1064 Scripting

PersistenceT1133 External Remote Services
Lateral Movement

T1021.001 Remote Desktop Protocol

T1021.004 SSH

Defense Evasion

T1027 Obfuscated Files or Information

T1070.004 File Deletion

T1070.006 Timestomp

T1064 Scripting

T1553.002 Code Signing

Discovery

T1046 Network Service Scanning

T1082 System Information Discovery

T1518.001 Security Software Discovery

Lateral Movement

T1021.001 Remote Desktop Protocol

T1021.004 SSH

Command and Control

T1071 Application Layer Protocol

T1090 Proxy

T1105 Ingress Tool Transfer

T1132.001 Standard Encoding

Recommendations

VMware Issues Updated Fix for Critical ESXi Flaw (CVE-2020-3992)

VMware issued an updated fix for a critical-severity remote code execution flaw in its ESXi hypervisor products (CVE-2020-3992).

VMware advisory on November 4 said updated patch versions were available after it was discovered that the previous patch, released on October 20, did not completely address the vulnerability. That is because certain versions that were affected were not previously covered in the earlier update.

A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a remote code execution. The flaw (CVE-2020-3992) has a CVSS score of 9.8 out of 10, with a critical severity level.

While ESXi users can update to fixed versions ESXi70U1a-17119627 (for version 7), ESXi670-202011301-SG (for version 6.7) and ESXi650-202011401-SG (for version 6.5), a patch is still pending for affected VMware Cloud Foundation versions.

Recommendations

Cisco AnyConnect zero-day

Cisco has disclosed today a zero-day vulnerability in the Cisco AnyConnect Secure Mobility Client software with proof-of-concept exploit code publicly available.

While security updates are not yet available for this arbitrary code execution vulnerability, Cisco is working on addressing the zero-day, with a fix coming in a future AnyConnect client release.

The high severity vulnerability tracked as CVE-2020-3556 exists in the interprocess communication (IPC) channel of Cisco AnyConnect Client and it may allow authenticated and local attackers to execute malicious scripts via a targeted user.

It affects all AnyConnect client versions for Windows, Linux, and macOS with vulnerable configurations. However, mobile iOS and Android clients are not impacted by this vulnerability.

A vulnerable configuration requires both the Auto Update setting and Enable Scripting setting to be enabled. Auto Update is enabled by default, and Enable Scripting is disabled by default.

Cisco also patched other 11 High and 23 Medium vulnerabilities in their advisory for November 5.

Recommendations

References

Share this article

title
Upcoming event

GISEC Global 2024

The super connector show for the worldwide cyberse...

  • Dubai
  • UAE