Threat advisories

Top Middle East Cyber Threats – January 23, 2024

Jan-2024 4 min to read

114

Top Middle East Cyber Threats – January 23, 2024

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead.

Critical Vulnerability Exploits Self-Hosted GitLab Accounts

A critical vulnerability in GitLab CE/EE (CVE-2023-7028) can be easily exploited by attackers to reset the passwords of GitLab user accounts. Exploit code for this vulnerability is now public. The exploit allows an unauthenticated attacker to reset the password of an existing user without any user interaction.

GitLab stated in a release that customers of their cloud services were not impacted.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Configure Multi-Factor Authentication (MFA) for all your accounts.
Limit access to your self-hosted instances based on the subnets that need to access them.
Monitor for suspicious and unexpected login activities.

Anonymous Sudan DDoS Attacks Target UAE

The Help AG Cyber Threat Intelligence (CTI) Team has observed a DDoS (Distributed Denial of Service) campaign today targeting a telecommunications entity in the United Arab Emirates, claimed by the hacktivist group Anonymous Sudan.

The Help AG CTI team will continue to monitor the situation and provide updates on any further relevant information.

RECOMMENDATIONS

Ensure your organization has sufficient bandwidth and implement redundancy by distributing traffic using load balancers.
Configure your network hardware to guard against DDoS attacks by filtering unwanted ports and protocols.
Deploy DDoS protection solutions to protect your servers from both network and application layer DDoS attacks.
Have a response plan in place: A well-defined plan for responding to DDoS attacks can help you react quickly and effectively, minimizing the attack’s impact.
Ensure all systems are regularly patched and updated.
Avoid clicking on or opening untrusted or unknown links, files, or attachments.
Enable software restriction policies and implement application whitelisting.
Enforce a Restricted PowerShell script execution policy.
Monitor your network for abnormal behaviors.
Ensure that frequent backups of critical data are maintained and kept up to date.

Vulnerabilities Expose SonicWall Firewalls to DoS and RCE Threats

Security researchers have shared insights on previously disclosed vulnerabilities in SonicWall Next-Generation Firewalls, specifically affecting Series 6 and 7 devices. These vulnerabilities, identified as CVE-2022-22274 and CVE-2023-0656, are still present in multiple internet-facing firewalls, leaving them vulnerable to denial-of-service (DoS) and potential remote code execution (RCE) attacks. Several publicly accessible Proof-of-Concept (PoC) codes are currently available, though there is no evidence of active exploitation in the wild as of now.

CVE-2022-22274: This is a stack-based buffer overflow vulnerability in SonicOS, exploitable via an HTTP request. It allows a remote, unauthenticated attacker to cause a DoS or potentially execute code on the firewall.

CVE-2023-0656: Another stack-based buffer overflow vulnerability in SonicOS, which allows a remote, unauthenticated attacker to cause a DoS. This could result in the crashing of an impacted firewall.

RECOMMENDATIONS

Update the firmware of all impacted SonicWall Gen 5 and Gen 6.x firewalls, if applicable, in your environment.
Ensure all systems are patched and updated.

Malicious VBS Script-Driven Campaign Distributes RAT Malware

A recent sophisticated phishing campaign using VBS scripts has been observed delivering RAT-based malware, including samples of AgentTesla, Guloader, Remcos RAT, Xworm, and Lokibot. This campaign has notably targeted various global regions, including the United Arab Emirates.

The infection process begins with a phishing email. It starts with the activation of a VBS script, leading to the execution of an initial-stage PowerShell script. Following this, the native BitsTransfer utility is utilized to retrieve a second-stage PowerShell script, encoded in base64. In the final stage, shellcode injects the RAT malware into a legitimate Windows process, wab.exe.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files, or attachments.
Do not allow Macros to run in unknown MS Office files.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious attachments.
Enforce a Restricted PowerShell script execution policy for end-users.
Monitor your network for abnormal behaviors.
Ensure frequent backups are maintained.
Educate employees about detecting and reporting phishing/suspicious emails.

Apple Update Addresses Multiple Vulnerabilities

Apple has issued a security update to address multiple vulnerabilities across various products. The security issues have been resolved in the following versions: macOS Ventura 13.6.4, iOS 16.7.5, iPadOS 16.7.5, iOS 17.3, iPadOS 17.3, tvOS 17.3, watchOS 10.3, macOS Monterey 12.7.3, macOS Sonoma 14.3, iOS 15.8.1, and iPadOS 15.8.1.

Apple has also released patches for older iPhone and iPad models addressing two WebKit zero-days (CVE-2023-42916 and CVE-2023-42917). These vulnerabilities were already patched in November for newer versions of iPads and iPhones.

RECOMMENDATIONS