Threat advisories

Top Middle East Cyber Threats – August 26th, 2025 

By Help AG

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats. 

Threat Actor TA-NATALSTATUS Intensifies Global Cryptojacking Campaign

Researchers have reported that the threat actor TA-NATALSTATUS, active since 2020, Europe, Russia, Asia, and other regions. The group gains root access to install mining software, disable security features, and eliminate competing threats. They use advanced techniques such as binary hijacking, obfuscation, persistence mechanisms, immutable file locks, and anti-rival kill lists. This evolution has turned what was once a common attack vector into a widespread infrastructure breach, compromising tens of thousands of vulnerable servers.

RECOMMENDATIONS    

Apply the principle of least privilege to minimize access to sensitive systems and data.

Enforce Multi-Factor Authentication (MFA) for all accounts, especially administrative ones.

Regularly patch and update internet-facing systems to mitigate vulnerability exploits.

Conduct awareness programs to educate users about phishing attacks and social engineering tactics.

Monitor your network for abnormal behaviours and Indicator of Compromise (IOCs)

Microsoft Releases Security Fixes for Critical and High-Risk Vulnerabilities

Microsoft has released 5 security fixes addressing 2 Critical, 2 High, and 1 Medium vulnerabilities.

The updates addresses the following CVEs:

Critical – CVE-2025-53795: Microsoft PC Manager – Privilege escalation over the network.

Critical – CVE-2025-53763: Azure Databricks / Purview – Improper access control enabling privilege escalation.

High – CVE-2025-55231: Windows Storage – Race condition, potential remote code execution (RCE).

High – CVE-2025-55230: Windows MBT Driver – Pointer dereference, local privilege escalation.

Medium – CVE-2025-55229: Windows Certificates – Improper signature verification, allowing spoofing.

RECOMMENDATIONS    

Ensure all systems are patched and updated.

Attackers Exploit Active Directory Defaults Using MITM6

Attackers can exploit overlooked Active Directory (AD) defaults without relying on zero-day vulnerabilities or malware. The MITM6 attack targets Windows’ default IPv6 settings, where systems send DHCPv6 requests even when IPv6 is not in use. A rogue server can respond with a malicious DNS, intercepting traffic. When combined with tools like ntlmrelayx, the attacker can spoof WPAD to capture or relay NTLM credentials.

Since AD allows authenticated users to add machine accounts and abuse Resource-Based Constrained Delegation (RBCD), attackers can escalate privileges, impersonate accounts and potentially achieve full domain compromise.

MITM6 is a penetration testing tool that exploits Windows’ default configuration to take over the default DNS server. It responds to DHCPv6 messages, assigns victims a link-local IPv6 address, and sets the attacker’s host as the default DNS server.

RECOMMENDATIONS

Disable IPv6 if Unused – Turn off IPv6 on endpoints and servers if not required.

Block Rogue IPv6 Advertisements – Use RA Guard or DHCPv6 Guard to block unauthorized DHCPv6 and RA traffic.

Segment Network – Separate users, servers, and domain controllers into VLANs.

Restrict Machine Account Creation – Set ms-DS-MachineAccountQuota = 0.

Control RBCD – Audit and limit Resource-Based Constrained Delegation.

Harden Privileged Accounts – Prevent administrative logins on untrusted systems.

Detect Rogue DHCPv6 – Monitor using IDS/IPS or tools like Zeek and Surica.

Static Tundra Exploits Cisco IOS Vulnerability for Espionage

Researchers have attributed Static Tundra, a Russian state-sponsored espionage group linked to the FSB’s Center 16, with over a decade of operations targeting network devices for long-term intelligence collection. The group has leveraged a long-patched vulnerability (CVE-2018-0171) in Cisco IOS Smart Install, focusing on unpatched and end-of-life devices to steal configurations and maintain persistence.

Static Tundra campaigns have primarily targeted organizations in telecommunications, higher education, and manufacturing across multiple regions, chosen for their strategic value.

CVE-2018-0171 is a critical vulnerability in the Smart Install feature of Cisco IOS and IOS XE software. It allows an unauthenticated remote attacker to exploit affected devices, potentially resulting in denial of service (DoS) or arbitrary code execution.

RECOMMENDATIONS    

Apply the principle of least privilege to minimize access to sensitive systems and data.

Enforce Multi-Factor Authentication (MFA) for all accounts, especially administrative ones.

Regularly patch and update internet-facing systems to mitigate vulnerability exploits.

Conduct awareness programs to educate users about phishing attacks and social engineering tactics.

Monitor your network for abnormal behaviors and Indicator of Compromise (IOCs)

Cisco Addresses Medium-Severity Vulnerabilities in Duo, EPNM, and ISE

Cisco has released 3 security fixes – all Medium severity.

[Medium] CVE-2025-20345 – Cisco Duo Authentication Proxy: Vulnerability in debug logging could allow a high-privileged attacker to view sensitive information in system logs.

[Medium] CVE-2025-20269 – Cisco EPNM & Prime Infrastructure: Weak input validation in the web interface may let a low-privileged attacker retrieve arbitrary files from the device.

[Medium] CVE-2025-20131 – Cisco ISE: Improper file validation in the GUI could allow an admin-level attacker to upload arbitrary files to the system.

RECOMMENDATIONS    

Ensure all systems are patched and updated.

Warlock Ransomware Exploits SharePoint Vulnerabilities to Deploy Malware

Researchers have identified that the Warlock ransomware group is exploiting unpatched, internet-exposed Microsoft SharePoint servers by leveraging newly discovered vulnerabilities to gain initial access. The attackers use targeted HTTP POST requests to upload web shells for reconnaissance and credential theft. Once inside the network, the group escalates privileges through Group Policy abuse, conducts further credential harvesting, and moves laterally using built-in Windows tools and custom malware, ultimately deploying ransomware that encrypts files with the .x2anylock extension.

RECOMMENDATIONS    