Top Middle East Cyber Threats – December 12, 2023
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead.
Sandman APT Targets Entities in the Middle East
Researchers have shared recent attribution-relevant information regarding the Sandman APT cluster, shedding light on its position within the broader threat landscape and identifying connections between Sandman and a suspected threat actor group that utilizes the KEYPLUG backdoor, known as STORM-0866/Red Dev 40. These connections include similarities in victimology, cohabitation, and the use of Command and Control (C2) infrastructure control and management practices.
STORM-0866/Red Dev 40 is an evolving APT threat cluster primarily focused on targeting entities in the Middle East and the South Asian subcontinent. Their victims often include telecommunication providers and government entities.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files, or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that your email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviour.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
Teal Kurma Launches Multi-Faceted Attacks
A threat actor known as Teal Kurma (also known as Sea Turtle, Marbled Dust, Cosmic Wolf) has been observed targeting entities in Europe and the Middle East. This includes both private and public sector organizations, ranging from non-governmental organizations (NGOs) to information technology (IT) and telecommunication sectors.
The threat actor used SnappyTCP, a simple reverse TCP shell for Linux/Unix systems that supports basic C2 capabilities, to establish persistence on a system in campaigns between 2021 and 2023. The attacker controlled C2 domains were found to be spoofing NGOs and media organizations.
To gain initial access, it is likely that the actors leveraged publicly available proof-of-concept codes such as CVE-2021-44228, CVE-2021-21974, and CVE-2022-0847. After the initial compromise, they used a shell script (upxa.sh) that drops an executable to the disk, which calls out to a threat actor-controlled server. The deployed WebShell was a simple reverse TCP shell for Linux/Unix systems that supported two variants – one that uses OpenSSL to create a secure connection over TLS, and another that omits this capability and sends requests in cleartext.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that your email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviors.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
TA422 Phishing Campaigns Impact Multiple Sectors
A threat actor tracked as Forest Blizzard (STRONTIUM, APT28, FANCYBEAR), has been found actively exploiting CVE-2023-23397 to gain unauthorized access to email accounts within Exchange servers. Additionally, the actors utilized other known public exploits in their attacks, such as CVE-2023-38831 and CVE-2021-40444. These vulnerabilities were exploited to gain initial access against diverse sectors including government, aerospace, education, finance, manufacturing, and technology.
Several phishing emails were sent in the campaigns exploiting CVE-2023-23397, a Microsoft Outlook elevation of privilege flaw. This flaw allows a threat actor to exploit Transport Neutral Encapsulation Format (TNEF) files and initiate NTLM negotiation, obtaining a hash of a target’s NTLM password. Another exploited vulnerability, CVE-2023-38831, is a WinRAR remote code execution flaw that allows the execution of arbitrary code when a user attempts to view a benign file within a ZIP archive.
When vulnerable instances of Outlook processed the attachment, Outlook initiated an NTLM negotiation request to the file located at the UNC path. This allowed for the disclosure of NTLM credentials from the targets without their interaction. The campaigns leveraged Mockbin and InfinityFree services for URL redirection purposes.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files, or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that your email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviors.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
Covert DNS Channel Attacks Target Different Organizations
A recently identified backdoor variant named Agent Raccoon, built using the .NET framework, utilized the DNS protocol to establish a covert channel, enabling diverse backdoor functionalities. The targets of this discovery are primarily located in the U.S., the Middle East, and Africa, with the Command and Control (C2) infrastructure dating back to 2020. The affected sectors include education, real estate, retail, non-profits, telecom, and governmental entities.
The attackers utilized various tools to achieve their objectives, including the establishment of backdoor capabilities, command and control (C2), the theft of user credentials, and the exfiltration of confidential information. Notably, a newly identified tool called Ntospy, a Network Provider DLL module, was employed to steal user credentials. Additionally, a customized version of Mimikatz, known as Mimilite, was used for credential dumping.
The attackers used PowerShell snap-ins to steal emails from Microsoft Exchange servers and to steal victims’ Roaming Profile folders, compressing the directory with 7-Zip for efficiency and stealth.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that your email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviors.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
References
https://twitter.com/MsftSecIntel/status/1731626192300634585
https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html
https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/
