Top Middle East Cyber Threats – April 02, 2024
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead.
DDoS Campaign Targets Multiple Entities in UAE and KSA
Help AG’s Cyber Threat Intelligence Team has noticed a continued ongoing DDoS campaign against multiple entities in United Arab Emirates and Saudi Arabia that was claimed by SYLHET GANG-SG and other anonymous groups. Hacktivist states that they are targeting UAE digital infrastructure aiming at over 5,000 IPs and devices, alongside 800+ government-related domains.
Help AG’s CTI Team will continue to monitor and provide updates on any further relevant information.
RECOMMENDATIONS
- Ensure having sufficient bandwidth in your organization and ensure redundancy by spreading traffic using load balancers.
- Configure your network hardware against DDoS attacks by filtering unwanted ports and protocols.
- Deploy DDoS protection solutions to protect your servers from both network and application layer DDoS attacks.
- Have a response plan in place in order to help you quickly and effectively respond to an attack (if and when it happens) and minimize its impact.
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files, or attachments.
- Enable software restriction policies and application whitelisting.
- Enforce the Restricted PowerShell script execution policy.
- Monitor your network for abnormal behaviours and IoCs.
- Ensure frequent backups are in place.
Google Chrome Addresses 7 Vulnerabilities
Google has published a security update to address 7 security issues in Chrome browser that are fixed now in Chrome latest version 123.0.6312.86/.87 for Windows & Mac and 123.0.6312.86 to Linux versions.
This update contains seven security fixes, including four vulnerabilities have been identified by external researchers. It includes 1 Critical and 3 High severity levels.
Critical vulnerability is assigned with CVE-2024-2883 and it is related to USE-After-Free (UAF) vulnerability identified in ANGLE component.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
TA450 Targets Multinationals with Malicious Email Attachments
TA450, a threat actor known by names, like MuddyWater, Mango Sandstorm and Static Kitten has been found engaging in social engineering campaigns targeting employees in large multinational companies. These activities are part of a trend of focusing on organizations mainly involved in manufacturing, technology, and information security sectors.
TA450 distributed emails featuring PDF attachments that contained malicious links. These links were related to file sharing sites – including Egnyte, Onehub, Sync and TeraBox.
If a recipient opened the attachment and clicked on the embedded link, it would initiate the download of a ZIP archive containing a compressed MSI file. Upon extraction and execution, this MSI would install AteraAgent, a remote administration tool that has been abused by TA450.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files, or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviours and IoCs.
- Please action by blocking the indicators of compromise (within respective security controls organization wide.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
Suspected APT – Curious Serpens Deploys FalseFont Backdoor
The suspected threat actor, Curious Serpens, known by aliases including Peach Sandstorm, APT33, Elfin, Holmium, Magnalium, or Refined kitten, has been identified deploying a new backdoor named FalseFont. This backdoor, crafted in ASP .NET Core, having a range of capabilities: Executing processes and commands on the infected machine, Manipulating the file system, Capturing the screen, stealing credentials from browsers, stealing credentials for an aerospace-industry job application platform, which could contain sensitive aerospace data.
FalseFont detected in the wild, is bundled into a single native executable of 182 MB in size. It’s known to target job applicants in the aerospace and defense sectors. It targets job applicants by posing as a graphical interface for submitting job applications to a U.S.-based aerospace company. While users interact with the GUI, the malware’s main component operates in the background, establishing persistence and connecting to its command-and-control (C2) server.
During initialization, FalseFont initiates communication with its C2 domain, collecting and transmitting machine hostname, login username, and operating system details.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files, or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviours and IoCs.
- Please action by blocking the indicators of compromise within respective security controls organization wide.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
Ivanti Security Update Fixes Two Critical Vulnerabilities
Ivanti has published a security update to address two critical severity vulnerabilities in Ivanti Neurons for ITSM and Ivanti Standalone Sentry products.
CVE-2023-46808 – An authenticated remote user can perform file writes to ITSM server. Successful exploitation can be used to write files to sensitive directories which may allow attackers execution of commands in the context of web application’s user. This vulnerability impacts all supported versions of Ivanti Neurons for ITSM (2023.3, 2023.2 and 2023.1).
CVE-2023-41724 – An unauthenticated threat actor can execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network. This vulnerability impacts all supported versions 9.17.0, 9.18.0, and 9.19.0 or earlier.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Critical Supply Chain Compromise Affects Linux Platform
Red Hat Linux has released advisory on CVE-2024-3094, rated as critical with a CVSS score of 10. This vulnerability is a result of a supply chain compromise impacting the latest versions of XZ tools and libraries.
XZ is a form of lossless data compression found on Unix-like operating systems, frequently compared to other popular compression formats like gzip and bzip2. XZ Utils, a command line utility, encompasses features for both compressing and decompressing XZ files.
A backdoor has been identified in XZ Utils versions 5.6.0 and 5.6.1 which under some condition may allow malicious attackers to perform SSH authentication bypass in specific versions of certain Linux distributions. It was identified by security researchers when investigating failing SSH logins resulting high CPU loads. Currently Microsoft has disabled the malicious XZ Utils repository maintained by the Tukaani Project “due to a violation of GitHub’s terms of service.” and there are currently no reports of active exploitation in the wild.
RECOMMENDATIONS
- Downgrade XZ Utils to an uncompromised version, specifically XZ Utils 5.4.6 Stable
REFERENCES
https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_26.html
https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users