Threat advisories

Top Middle East Cyber Threats – February 20, 2024

4 min to read
Top Middle East Cyber Threats – February 20, 2024

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead.

Stealthy Espionage Campaign Targets Charity Organization in the Middle East

Researchers at Cisco Talos have discovered a new and covert espionage campaign that has likely been active since at least March 2023.

This campaign targets a nonprofit organization in the Middle East and utilizes backdoors from a previously unreported malware family named “Zardoor.” The method of initial access remains unclear, but there have been observations of the threat actor executing a “Zardoor” backdoor malware to maintain persistence, followed by establishing command and control (C2) using open-source reverse proxy tools such as Fast Reverse Proxy (FRP), sSocks, and Venom. Once a connection was established, the threat actor utilized Windows Management Instrumentation (WMI) for lateral movement and to spread the attacker’s tools—including Zardoor—by spawning processes on the target system and executing commands received from the C2.

In line with our ongoing efforts to monitor and track Indicators of Compromise (IoCs), we strongly recommend removing the IP address 216.58.211.202 from your blocking list to avoid potential false positive alerts. Please continue to enforce the blocking of other relevant IoCs .

RECOMMENDATIONS

  • Ensure all systems are patched and updated.
  • Avoid clicking or opening untrusted or unknown links, files, or attachments.
  • Don’t allow Macros for unknown MS Office files.
  • Enable software restriction policies and application whitelisting.
  • Ensure that your email server is configured to block any suspicious attached files.
  • Enforce the Restricted PowerShell script execution policy for end users.
  • Monitor your network for abnormal behaviors.
  • Ensure frequent backups are in place.
  • Educate employees about detecting and reporting phishing / suspicious emails.

Hacktivists Target Organizations in the United Arab Emirates

In light of recent activities by threat actors targeting entities in the United Arab Emirates (UAE) through Distributed Denial of Service (DDoS) attacks, data theft, and document leaks, it has become imperative for organizations in the region to strengthen their cybersecurity defenses against data breaches and service disruptions.

Involved Hacktivist groups include Killnet Hacktivist groups:

Please ensure you have DDoS protection solutions for both Network and Application-level DDoS attacks and follow the recommendations  to mitigate possible future DDoS attacks.

RECOMMENDATIONS

  • Ensure you have sufficient bandwidth in your organization and enhance redundancy by distributing traffic using load balancers.
  • Configure your network hardware to defend against DDoS attacks by filtering unwanted ports and protocols.
  • Deploy DDoS protection solutions to shield your servers from both network and application layer DDoS attacks.
  • Have a response plan in place to help you swiftly and effectively mitigate the attack’s impact.
  • Ensure all systems are patched and updated.
  • Avoid clicking on or opening untrusted or unknown links, files, or attachments.
  • Enable software restriction policies and application whitelisting.
  • Enforce the Restricted PowerShell script execution policy.
  • Monitor your network for abnormal behavior.
  • Ensure frequent backups are maintained.

CharmingCypress Employs Innovative Attack Tactics

CharmingCypress spear-phishing campaigns have been recently detected, targeting multiple entities to collect political intelligence against foreign targets, with a particular focus on think tanks, NGOs, and journalists.

CharmingCypress, also known as APT42, is a state-sponsored cyber espionage group charged with conducting information collection and surveillance operations against individuals and organizations of strategic interest.

In its phishing campaigns, CharmingCypress often employs unusual social engineering tactics, such as engaging targets in prolonged conversations over email before sending links to malicious content. During the recent incident, CharmingCypress went so far as to create an entirely fake webinar platform to use as part of the lure. CharmingCypress controlled access to this platform, requiring targets to install malware-laden VPN applications before granting access.

RECOMMENDATIONS

  • Ensure all systems are patched and updated.
  • Avoid clicking or opening untrusted or unknown links, files, or attachments.
  • Don’t allow Macros for unknown MS Office files.
  • Enable software restriction policies and application whitelisting.
  • Ensure that your email server is configured to block any suspicious attached files.
  • Enforce the Restricted PowerShell script execution policy for end users.
  • Monitor your network for abnormal behaviors.
  • Ensure frequent backups are in place.
  • Educate employees about detecting and reporting phishing / suspicious emails.

 Solarwinds Fixes Critical Bugs in Access Rights Manager

SolarWinds has patched five remote code execution (RCE) flaws in its Access Rights Manager (ARM) solution, including three critical severity vulnerabilities that allow unauthenticated exploitation.

Access Rights Manager enables companies to manage and audit access rights across their IT infrastructure to minimize the impact of insider threats.

CVE-2024-23476 and CVE-2024-23479 are due to path traversal weaknesses, while the third critical flaw, tracked as CVE-2023-40057, is caused by the deserialization of untrusted data.

Unauthenticated attackers can exploit all three to gain code execution on targeted systems left unpatched. The other two bugs, CVE-2024-23477 and CVE-2024-23478, can also be used in RCE attacks and have been rated by SolarWinds as high-severity issues.

RECOMMENDATIONS

  • Ensure all systems are patched and updated.

References

https://blog.talosintelligence.com/new-zardoor-backdoor/

https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/

https://www.solarwinds.com/trust-center/security-advisories

 

Share this article

title
Upcoming event

GISEC Global 2024

The super connector show for the worldwide cyberse...

  • Dubai
  • UAE