Top Middle East Cyber Threats – July 04, 2023
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead.
Anonymous Sudan Escalates DDoS Attacks and Exposes Stolen Microsoft Records
In our ongoing effort to monitor cybersecurity threats, our Cyber Threat Intelligence (CTI) team at Help AG has noted a resurgence of DDoS attacks from the Anonymous Sudan group, specifically targeting organizations within the government and banking sectors of the United Arab Emirates. We observe that this group often exploits weekends and holidays to launch their attacks. Assessing the current threat landscape, we anticipate these campaigns to persist, potentially impacting additional entities in the coming days.
In a crucial development, our team has also discovered a significant data breach, where the threat actor publicly leaked 103 records from a purportedly stolen Microsoft database. Attempts are being made to sell the full database, reportedly containing many more records, for a sum of $50,000 USD.
Help AG is closely monitoring this situation to provide you with timely updates and security alerts.
RECOMMENDATIONS
- Make sure you have sufficient bandwidth in your organization and ensure redundancy by spreading traffic using load balancers.
- Configure your network hardware against DDoS attacks by filtering unwanted ports and protocols.
- Deploy a DDoS protection solution to protect your servers from both network and applications layer DDoS attacks.
- Have a response plan: Having a plan in place for responding to DDoS attacks can help you quickly and effectively respond to the attack and minimize its impact.
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files, or attachments.
- Enable software restriction policies and application whitelisting.
- Enforce the Restricted PowerShell script execution policy.
- Monitor your network for abnormal behaviour and shared IoCs.
- Ensure frequent backups are in place.
Apple Fixes Two Actively Exploited Zero-days Targeting iPhones and Macs
Apple has addressed two actively exploited zero-day vulnerabilities targeting multiple products including iPhones, Macs, and iPads.
The security bugs were found in the Kernel as well as the multi-platform WebKit browser engine and are tracked as CVE-2023-32434 and CVE-2023-32439.
The first vulnerability is an integer overflow that allows arbitrary code execution with kernel privileges. The second is a type of confusion that allows a maliciously crafted web content to execute arbitrary code.
Apple addressed the two zero-days in watchOS 8.8.1, iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, macOS Ventura 13.4.1, macOS Monterey 12.6.7 and macOS Big Sur 11.7.8.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
VMware warns of critical vRealize flaw exploited in the wild
VMware updated a security advisory to warn customers that the critical RCE vulnerability (CVE-2023-20887) in Aria Operations for Networks (Formerly vRealize Network Insight) is being actively exploited after releasing the PoC publicly.
CVE-2023-20887 is a command injection vulnerability enabling a malicious actor with network access to VMware Aria Operations for Networks to perform a command injection attack, resulting in remote code.
VMware also addressed 2 other vulnerabilities as part of the advisory:
- CVE-2023-20888: A malicious actor with network access to VMware Aria Operations for Networks and valid ‘member’ role credentials may be able to perform a deserialization attack, resulting in remote code execution.
- CVE-2023-20889: A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure.
VMware has released a patch to fix this security issue.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Monitor your network for abnormal behaviours and IoCs.
Google Chrome Update Fixes Multiple Vulnerabilities
Google published a security update to address multiple vulnerabilities in Chrome browser that are fixed now in Chrome’s latest version (114.0.5735.198 for Mac and Linux and 114.0.5735.198/199 for Windows).
The update includes 4 security fixes, 3 of them were contributed by external researchers. All the 3 contributed fixes are classified as high in risk level.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Charming Kitten Updates POWERSTAR with an InterPlanetary Twist
The Iranian threat actor (Charming Kitten) was discovered attacking organizations with spear-phishing campaigns to distribute an updated version of one of their backdoors, which is known as POWERSTAR/CharmPower.
Charming Kitten appears to be straying from their previously preferred cloud-hosting providers (OneDrive, AWS S3, Dropbox) in favour of privately hosted infrastructure, Backblaze and IPFS, to deliver their malware.
Charming Kitten have been evolving their malware alongside their spear-phishing techniques. The adversaries have implemented improved operational security measures within the malware, to make it more difficult to analyze and collect intelligence.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that your email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviours and IoCs.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
MuddyWater unveils Phony C2: A New Malicious Command & Control Framework
A new C2 framework named PhonyC2 has been identified and attributed to MuddyWater, a cyber espionage group that is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).
PhonyC2 is similar to MuddyC3, a previous C2 framework created by the threat actor, and was part of the attack on the Israeli research Institute (Technicon). The adversary is continuously updating the C2 framework and changing TTPs to avoid detection.
It has also been observed that MuddyWater is exploiting PaperCut MF and NG RCE vulnerability (CVE-2023-27350) and using PhonyC2 as a command-and-control server.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that your email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviours and IoCs.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
References:
- https://support.apple.com/en-us/HT213813
- https://support.apple.com/en-us/HT213811
- https://support.apple.com/en-us/HT213809
- https://support.apple.com/en-us/HT213810
- https://support.apple.com/en-us/HT213814
- https://www.vmware.com/security/advisories/VMSA-2023-0014.html
- https://www.fortiguard.com/psirt/FG-IR-23-074
- https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop_26.html
- https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/
- https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a
- https://www.ynetnews.com/business/article/syjobiuti