Threat advisories

Top Middle East Cyber Threats – April 16, 2024 

Apr-2024 4 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead.

Increasing Vishing Attacks Target UAE Pass Users

Help AG’s Cyber Threat Intelligence Team has observed an increase in vishing attacks targeting users of the digital identity solution, UAE Pass application, in the United Arab Emirates. Attackers are impersonating police authorities and convincing users to share their OTPs.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Please remain vigilant against such scams, especially when encountering suspicious calls, messages, or notifications of abnormal login requests.
It’s important to carefully validate these requests before responding to such social engineering attempts to prevent potential fraud by individuals attempting unauthorized access to victim accounts.
Stay vigilant about sharing your information with any unknown parties.

Researchers Uncover New C2 Framework Used by MuddyWater

Deep Instinct’s threat research team has uncovered a previously unreported Command and Control (C2) framework, named DarkBeatC2, used by a threat actor known as MuddyWater.

The C2 server was found hosting “reNgine,” an open-source reconnaissance framework. While there is no public record of MuddyWater using this framework before, the threat actor is known for employing various open-source tools. Additionally, some domains match the infrastructure previously used by the attackers. Another tool identified on the C2 servers is “Tactical RMM,” a remote monitoring and management tool.

Similar to previous C2 frameworks used by the actors, DarkBeatC2 also functions as a centralized hub for managing all compromised machines.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files, or attachments.
Don’t allow Macros for unknown MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Palo Alto Networks Identifies Critical Command Injection Vulnerability in PAN-OS

A command injection vulnerability has been discovered in the GlobalProtect feature of Palo Alto Networks PAN-OS software, affecting certain versions with distinct feature configurations. This vulnerability could potentially allow an unauthorized attacker to execute arbitrary code with root privileges on the firewall. A CVSS score of 10.0 (Critical) has been assigned.

Palo Alto Networks is aware that the vulnerability is actively exploited, and this issue affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with both GlobalProtect gateway and device telemetry enabled. GlobalProtect gateway can be checked through web interface by navigating to (Network > GlobalProtect > Gateways). Similarly, the device telemetry feature can be accessed via (Device > Setup > Telemetry).

As per Palo Alto Networks, fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in the development phase and are expected to be released by April 14, 2024.

Versions	Affected	Unaffected
Cloud NGFW	None	All
PAN-OS 11.1	< 11.1.2-h3	>= 11.1.2-h3 (ETA: By 4/14)
PAN-OS 11.0	< 11.0.4-h1	>= 11.0.4-h1 (ETA: By 4/14)
PAN-OS 10.2	< 10.2.9-h1	>= 10.2.9-h1 (ETA: By 4/14)
PAN-OS 10.1	None	All
PAN-OS 10.0	None	All
PAN-OS 9.1	None	All
PAN-OS 9.0	None	All
Prisma Access	None	All

RECOMMENDATIONS

While patches are under development, Palo Alto Networks recommends that customers with Threat Prevention subscriptions mitigate this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682) to block the attacks.
If threat prevention can’t be enabled, it is recommended to temporarily disable device telemetry until the device is upgraded to a fixed PAN-OS version and re-enable after a successful upgrade.
It is also recommended to ensure vulnerability protection has been applied to the GlobalProtect interface to prevent exploitation of this issue on those affected devices.
Ensure all systems are updated once the patches are released by the vendor.

Black Maskers Army Intensifies Cyber Attacks on Key KSA and UAE Targets

Recent activities from the hacktivist group Black Maskers Army have emerged, announcing their intent to target several entities in Saudi Arabia and the United Arab Emirates. Additionally, there have been reports of a series of Distributed Denial of Service (DDoS) attacks targeting various organizations in Saudi Arabia, attributed to another hacktivist group, the Sylhet Gang.

Black Maskers Army, affiliated with KillNet, engages in hacking publicly accessible websites and orchestrating DDoS campaigns against multiple organizations.

RECOMMENDATIONS

It is crucial to vigilantly monitor for any web-based exploit attempts and ensure that websites are consistently updated with the latest security patches.
Ensure having sufficient bandwidth in your organization and ensure redundancy by spreading traffic using load balancers.
Configure your network hardware against DDoS attacks by filtering unwanted ports and protocols.
Deploy a DDoS protection solution to protect your servers from both network and application-layer DDoS attacks.
Have a response plan to DDoS attacks in order to quickly and effectively respond to the attack and minimize its impact.
Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files, or attachments.
Enable software restriction policies and application whitelisting.
Enforce the Restricted PowerShell script execution policy.
Monitor your network for abnormal behaviors and IoCs if any.
Ensure frequent backups are in place.