Threat advisories

Top Middle East Cyber Threats – December 25, 2023

Dec-2023 8 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead.

DDoS Attacks Target UAE #DecemberStorm

Help AG Cyber Threat Intelligence Team has been actively monitoring the recent DDoS campaign targeting United Arab Emirates based entities. A recent wave of DDoS attacks has been observed on 19 December under hashtag “#DecemberStorm” and initiated by a threat actor known as SYLHET GANG.

On 19 December, the hacktivists were able to successfully attack an organization under financial sector. The group were also involved in other successful DDoS attacks during previous weeks. Help AG CTI team has been monitoring the situation.

RECOMMENDATIONS

Ensure having sufficient bandwidth in your organization and ensure redundancy by spreading traffic using load balancers.
Configure your network hardware against DDoS attacks by filter unwanted ports and protocols.
Deploy DDoS protection solutions to protect your servers from both network and applications layer DDoS attacks.
Have a response plan in place: Having a plan in place for responding to DDoS attacks can help you quickly and effectively respond to the attack and minimize its impact.
Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Enable software restriction policies and application whitelisting.
Enforce the Restricted PowerShell script execution policy.
Monitor your network for abnormal behaviors and IoCs.
Ensure frequent backups are in place.

Ivanti Releases Security Patches for Avalanche Products

Ivanti has released security updates that fixed twenty-two vulnerabilities in the Ivanti Avalanche on-premises product enterprise mobile device management (MDM) solution.

In that, 13 vulnerabilities categorized as critical, and they are related to Unauthenticated Buffer Overflows, Stack-based Buffer Overflow Remote Code Execution Vulnerability and Heap-based Buffer Overflow Remote Code Execution Vulnerability.

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

RECOMMENDATIONS

Ensure all systems are patched and updated. Download the Avalanche installer and update to the latest Avalanche 6.4.2 versions.

Google Chrome Update Fixes a New Actively Exploited Zero-Day

Google has released emergency updates to address a new zero-day vulnerability, tracked as CVE-2023-7024, in its web browser Chrome. The vulnerability is a Heap buffer overflow in WebRTC.

The flaw has been addressed with the release of version 120.0.6099.129 for Mac, Linux and 120.0.6099.129/130 for Windows which will roll out over the coming days/weeks.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Apple Releases Security Updates Fixing CVE-2023-42940

Apple has issued security update to patch one vulnerability in macOS Sonoma which is tracked under – CVE-2023-42940

The vulnerability is related to session rendering issue that was addressed with improved session tracking. The reported vulnerability by researcher has been now fixed in latest macOS Sonoma 14.2.1 version.

Apple also released latest versions of Safari 17.2.1, iOS 17.2.1 and iOS 16.7.4 and iPadOS 16.7.4. But CVE details are not mentioned in the updates for the same.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Hackers Target Telecommunications in North and East Africa

An espionage group Seedworm (aka Muddywater) has been targeting organizations operating in the telecommunications sector in Egypt, Sudan, and Tanzania.

Seedworm has been active since at least 2017, and has targeted organizations in many countries, though it is most strongly associated with attacks on organizations in the Middle East. It has been publicly stated that Seedworm is a cyberespionage group that is believed to be a subordinate part of Iran’s Ministry of Intelligence and Security (MOIS).

The attackers used a variety of tools in this activity, which occurred in November 2023, including leveraging the MuddyC2Go infrastructure. The attackers also use the SimpleHelp remote access tool and Venom Proxy, which have previously been associated with Seedworm activity, as well as using a custom keylogging tool, and other publicly available and living-off-the-land tools.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure that email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and shared IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Smishing Triad Conducts Fraud Campaigns

Recently, a fraudulent campaign by the previously known cybercriminal group, the ‘Smishing Triad Gang,’ was discovered impersonating the United Arab Emirates Federal Authority for Identity and Citizenship.. The group is involved in circulating malicious SMS messages, posing as communications from the General Directorate of Residency and Foreigners Affairs. The campaign specifically targets both UAE residents and foreigners present in or visiting the country. Before this, the same group engaged in similar smishing activities, where they pretended to be postal service providers.

In the current campaign, by leveraging a social engineering tactic, the victim is redirected to a fake authorization form with the branding of the United Arab Emirates General Directorate of Residency and Foreigners Affairs and asked to provide the personal information and credit card details as part of payment process. The attackers have created phishing form that will only be accessible when visited from UAE IP addresses and mobile devices.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files, or attachments.
Always use the trusted App Stores to download the Mobile Apps.
Avoid publishing private contact information on unreliable online platforms.
Enable software restriction policies and application whitelisting.
Monitor your network for abnormal behaviors and shared IoCs.
Please action by blocking the attached list of indicators of compromise (attached with this email) within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

OilRig Launches Attacks with Cloud-Enabled Downloaders

A series of new OilRig downloaders were revealed recently, all of them relying on legitimate cloud service providers for C&C communications to maintain access to target organizations. These lightweight downloaders, which are named SampleCheck5000 (SC5k v1-v3), OilCheck, ODAgent, and OilBooster, are notable for using one of several legitimate cloud service APIs for C&C communication and data exfiltration: the Microsoft Graph OneDrive or Outlook APIs, and the Microsoft Office Exchange Web Services (EWS) API.

In all cases, the downloaders use a shared (email or cloud storage) OilRig-operated account to exchange messages with the OilRig operators; the same account is typically shared by multiple victims. The downloaders access this account to download commands and additional payloads staged by the operators, and to upload command output and staged files.

OilRig, also known as APT34, Lyceum, Crambus, or Siamesekitten, is a cyberespionage group that has been active since at least 2014 and is commonly believed to be based in Iran. The group targets Middle Eastern governments and a variety of business verticals, including chemical, energy, financial, and telecommunications.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure that email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and shared IoCs.
Please action by blocking the indicators of compromise within respective security controls organization wide.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Palo Alto Networks Fixes Multiple Vulnerabilities in PAN-OS

Palo Alto Networks has published a security update to address seven vulnerabilities in PAN-OS. Out of the seven vulnerabilities, one is assigned as high and six as medium in risk level.

The most severe vulnerability reported was CVE-2023-6790 with high risk level and 7.5 in CVSS, the vulnerability is a DOM-Based cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables a remote attacker to execute a JavaScript payload in the context of an administrator’s browser when they view a specifically crafted link to the PAN-OS web interface.

RECOMMENDATIONS

Ensure all systems are patched and updated.

FortiGuard Labs Security Update Fixes Multiple Vulnerabilities

FortiGuard Labs have released security advisory for the month of December that has fixed total 12 Vulnerabilities in the multiple products.

In that, 1 Critical, 5 High, 3 Medium and 3 Low severity vulnerabilities have been fixed.

Below are the details of critical and high vulnerabilities affecting on mentioned products and its vulnerability descriptions:

CVE-2023-47539 – FortiMail – Potential Remote_wildcard RADIUS login bypass in FotiMail 7.4.0

CVE-2023-48782 – FortiWLM – authenticated command injection vulnerability

CVE-2023-41678 – Double free in cache management

CVE-2023-48791 – FortiPortal – Schedule System Backup Page OS Command Injection

CVE-2022-27488 – FortiMail / FortiNDR / FortiRecorder / FortiSwitch / FortiVoice – Cross-site scripting forgery (CSRF) in HTTPd CLI console

CVE-2023-36639 – FortiOS & FortiProxy – Format String Bug in HTTPSd

CVE-2023-41673 – FortiADC – Read-only administrator can read or backup the system configuration.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Addresses Privilege Escalation Vulnerability

VMware has published a security update to address a privilege escalation vulnerability in VMware Workspace ONE Launch. The vulnerability identified as CVE-2023-34064 with moderate severity level and CVSSv3 base score of 6.3.
A malicious actor with physical access to Workspace ONE Launcher could utilize the Edge Panel feature to bypass setup to gain access to sensitive information.
VMware addressed the vulnerability in VMware Workspace ONE Launcher version 23.11.

RECOMMENDATIONS