Top Middle East Cyber Threats – April 22th, 2025  - Help AG: Next-Gen Cybersecurity Services in the Middle East

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats. 

APT29 Targets Diplomats Using GRAPELOADER and WINELOADER

Researchers have observed a phishing campaign attributed to APT29, a threat group, targeting diplomatic entities across Europe. The operation impersonates a European foreign ministry to deliver fake event invitations, often themed around wine tastings.

The campaign introduces a new loader, GRAPELOADER, used in the initial stages for tasks such as fingerprinting, persistence, and payload delivery. A refined variant of the WINELOADER backdoor is also used in later stages. Both tools share similar code structures and obfuscation techniques, with GRAPELOADER offering enhanced stealth and anti-analysis capabilities.

This campaign primarily targets Ministries of Foreign Affairs and foreign embassies across Europe, with limited activity observed beyond the continent, including some diplomatic entities in the Middle East.

RECOMMENDATIONS

Apply the principle of least privilege to minimize access to sensitive systems and data.

Enforce Multi-Factor Authentication (MFA) for all accounts, especially administrative ones.

Regularly patch and update internet-facing systems to reduce exposure to known vulnerabilities.

Conduct awareness programs to educate users about phishing attacks and social engineering tactics.

Monitor network activity for abnormal behavior and Indicators of Compromise (IOCs).

Ensure timely implementation of IOCs to strengthen security posture and mitigate potential threats.

APT Group Exploits Ivanti VPN Flaws Across Multiple Entities

Researchers have identified an APT group actively exploiting a critical vulnerability in Ivanti Connect Secure VPN. The campaign targeted organizations across multiple continents, affecting twelve countries and nearly twenty industries. Evidence suggests the threat actor maintained persistent network access during the analysis.

RECOMMENDATIONS    

Ensure all systems are patched and updated.

Red Menshen Deploys BPFDoor to Target Sectors Across Asia and North Africa

Researchers have identified a previously unseen BPFDoor controller, linked to the APT group Red Menshen (also tracked as Earth Bluecrow). BPFDoor, a state-sponsored backdoor used for cyberespionage allows reverse shell access and facilitates lateral movement within compromised networks. Recent campaigns have targeted the telecom, finance, and retail sectors across East Asia, Southeast Asia, and North Africa.

RECOMMENDATIONS

Apply the principle of least privilege to minimize access to sensitive systems and data.

Enforce MFA for all accounts, especially administrative ones.

Regularly patch and update internet-facing systems to reduce exposure to known vulnerabilities.

Conduct awareness programs to educate users about phishing attacks and social engineering tactics.

Monitor network activity for abnormal behavior and IOCs.

Ensure timely implementation of IOCs to strengthen security posture and mitigate potential threats.

DarkStorm Targets Government Entities Across Regions

The DarkStorm hacktivist group claimed responsibility for targeting multiple government entities through denial-of-service activity, validated by Check-Host screenshots they posted as evidence. The group typically uses such tactics to signal successful service disruption.

Confirmed targets based on evidence:

A government entity based in the Middle East

A government entity based in Eastern Europe

A government entity based in Northern Europe

In all three cases, the group posted Check-Host output indicating service unavailability or ICMP/HTTP failures as proof of successful targeting.

RECOMMENDATIONS

Implement DDoS mitigation solutions in application and network layers to absorb and filter attack traffic.

Deploy a Web Application Firewall (WAF) to filter and block malicious requests.

Enable real-time traffic monitoring to detect and respond to anomalies.

Ensure failover and redundancy mechanisms are in place for critical services.

Ensure all systems are patched and updated.

Google Releases Update to Patch Critical Chrome Vulnerabilities

Google has released a security update to address multiple vulnerabilities in the Chrome browser. These issues have been fixed in Chrome version 135.0.7049.95/.96 for Windows and Mac, and 135.0.7049.95 for Linux.

CVE-2025-3619: A heap buffer overflow in the Codecs component of Google Chrome on Windows, prior to version 135.0.7049.95, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2025-3620: A use-after-free vulnerability in the USB component of Google Chrome, prior to version 135.0.7049.95, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

RECOMMENDATIONS    

Ensure all systems are patched and updated.

Apple Addresses Critical Vulnerabilities Across Multiple Platforms

Apple has released security updates to address two vulnerabilities affecting multiple products, including macOS, iPads, and iPhones.

CVE-2025-31200 (CVSS score: 7.5): A memory corruption vulnerability in the Core Audio framework that could allow code execution when processing an audio stream in a maliciously crafted media file.

CVE-2025-31201 (CVSS score: 6.8): A vulnerability in the RPAC component that could allow an attacker with arbitrary read and write capabilities to bypass Pointer Authentication.

These vulnerabilities have been resolved in the following updates: macOS Sequoia 15.4.1, tvOS 18.4.1, visionOS 2.4.1, iOS 18.4.1, and iPadOS 18.4.1.

RECOMMENDATIONS    

Ensure all systems are patched and updated.

Oracle Releases Security Update to Patch Critical Vulnerabilities Across Product Lines

Oracle has published a security update to address multiple vulnerabilities as part of its Critical Patch Update for April 2025.

The update includes 378 security patches across various Oracle product families. Of these, 40 vulnerabilities are rated critical, 122 high, 206 medium, and 10 low in severity.

Several of the vulnerabilities can be exploited remotely without authentication, potentially allowing an attacker to perform unauthorized operations or delete/falsify sensitive information.

RECOMMENDATIONS    

Ensure all systems are patched and updated.

Fortinet Unveils Persistence Technique in FortiGate

Fortinet has disclosed a post-exploitation persistence technique observed during ongoing investigations, where a threat actor exploited known vulnerabilities (CVE-2024-21762, CVE-2023-27997, and CVE-2022-42475) to compromise FortiGate devices. Despite remediation efforts addressing the initial access vector, the attacker maintained read-only access by creating a symbolic link within the SSL-VPN language file directory. This allowed continued access to sensitive configurations, evading detection and bypassing some patching efforts.

RECOMMENDATIONS

Upgrade to FortiOS: 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16

Review the configuration of all in-scope devices.

Reset potentially exposed credentials.

Treat all configurations as potentially compromised and follow the recommended steps recover: Fortinet Recovery Steps.

As a workaround mitigation until the patch is applied, consider disabling SSL-VPN functionality, as exploitation of the file requires SSL-VPN to be enabled.

Researchers Identify Ongoing Influence Campaign Targeting Middle East and Gulf Region

Researchers have recently identified a long-running influence campaign, initially exposed in 2019, that has continued to target audiences in the Middle East and the Gulf region. While the campaign was primarily active in the Gulf region, especially in areas within the Arabian Peninsula, between 2019 and 2022, new activity targeting a region in the Eastern Mediterranean was observed in late 2024. There was no evidence of targeting during the period between 2022 and 2024.
The campaign has been sustained through a network of fake websites, social media pages, and profiles, indicating significant resources have been dedicated to maintaining it. This includes ongoing personnel, funding, and expertise in regional languages, highlighting the campaign’s strategic importance.

RECOMMENDATIONS

Block known command-and-control (C2) domains, IPs, and URLs by leveraging threat intelligence feeds.

Palo Alto Networks Releases Security Updates Addressing Multiple Vulnerabilities

Palo Alto Networks released 11 security updates to address 10 vulnerabilities in Palo Alto products, including the GlobalProtect App, PAN-OS, Cortex XDR Agent, Prisma SD-WAN, and Cortex XDR Broker VM. This is in addition to seven more CVEs as part of the Prisma Access Browser update.

Out of the 11 security updates; 1 is rated as high, 7 as medium, and 3 as low in severity.

RECOMMENDATIONS    

Ensure all systems are patched and updated.

Microsoft Identifies Exploited Zero-Day Privilege Escalation Vulnerability

Microsoft has identified post-compromise exploitation of a zero-day privilege escalation vulnerability (CVE-2025-29824) in the Windows Common Log File System (CLFS), affecting a limited number of entities across the U.S. IT and real estate sectors, Venezuela’s financial sector, a Spanish software firm, and Saudi Arabia’s retail sector.

The vulnerability was exploited using PipeMagic malware, linked to Storm-2460, which also deployed ransomware. This activity underscores the significance ransomware groups place on privilege escalation to expand their access and impact.

CVE-2025-29824: A zero-day vulnerability in the Common Log File System (CLFS) kernel driver allows standard user accounts to escalate privileges. Microsoft discovered active exploitation of this flaw and has released a patch.

RECOMMENDATIONS

Apply the principle of least privilege to minimize access to sensitive systems and data.

Enforce Multi-Factor Authentication (MFA) for all accounts, especially administrative ones.

Regularly patch and update internet-facing systems to mitigate vulnerability exploits.

Conduct awareness programs to educate users about phishing attacks and social engineering tactics.

Monitor network activity for abnormal behaviors and Indicators of Compromise (IOCs).

Ensure that IOCs are implemented promptly to enhance security posture and mitigate potential threats.

Schedule frequent automated backups.

Keep at least one backup offsite, preferably in an air-gapped or immutable storage system that ransomware cannot encrypt.

Fortinet Releases Update to Address CVEs in Multiple Products

Fortinet released a security update to address 11 CVEs in Fortinet products, including FortiAnalyzer, FortiClientEMS, FortiIsolator, FortiManager, FortiOS, FortiProxy, FortiSwitch, FortiVoice, and FortiWeb.

Out of the 11 CVEs addressed; 1 is rated as critical, 3 as high, 5 as medium, and 2 as low in severity.

RECOMMENDATIONS    