Threat advisories

Top Middle East Cyber Threats – July 18, 2023

Jul-2023 4 min to read

131

Top Middle East Cyber Threats – July 18, 2023

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Threat Actor TA453 Launches a Multi-stage Attack Campaign

Researchers have identified a recent campaign attributed to the Iranian threat actor TA453, also known as Charming Kitten, APT42, Mint Sandstorm, or Yellow Garuda. The campaign involves a multi-stage attack strategy aimed at compromising the security of targeted individuals. The campaign begins with benign emails sent to experts, seeking permission to share a draft related to fake projects. Once a target engages in initial interaction, TA453 delivers a malicious link via a Google Script macro. This link redirects the target to a Dropbox URL hosting a password-encrypted .rar file named “Abraham Accords & MENA.rar”.

Additionally. TA453 employs a .rar file and LNK file combination to deploy malware, deviating from their typical infection chain involving VBA macros or remote template injection. The LNK file enclosed within the RAR archive utilizes PowerShell to download additional stages from a cloud hosting provider.

TA453 has been also found to target Mac OS by disguising ZIP archive applications. Upon initialization, these applications execute an Apple script file that utilizes curl to download a bash backdoor named NokNok.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

VMware SD-WAN Update Addresses a Bypass Authentication Vulnerability

VMware published a security update to address an Authentication Bypass Vulnerability affecting VMware SD-WAN, the CVE tracked as CVE-2023-20899 with 5.3 CVSSv3 score.

An unauthenticated attacker can download the Diagnostic bundle of the application under VMware SD-WAN Management.

Impacted versions:

VMware SD-WAN (Edge) 5.0.x
VMware SD-WAN (Edge) 4.5.x

Fixed versions:

VMware SD-WAN (Edge) 5.1
VMware SD-WAN (Edge) 4.5.2

RECOMMENDATIONS

Ensure all systems are patched and updated.

Apple Fixes an Actively Exploited Zero-day Vulnerability

Apple has addressed an actively exploited zero-day vulnerability targeting multiple products including iPhones, Macs, and iPads. This is the third zero day fixed by Apple in addition to the two zero days fixed in June.

The security bug CVE-2023-37450 was found in the WebKit browser engine as processing web content may lead to arbitrary code execution.

Apple addressed the zero-day in iOS 16.5.1(a), iPadOS 16.5.1(a) and macOS Ventura 13.4.1(a).

This update is only available for macOS Ventura 13.4.1, iOS 16.5.1 and iPadOS 16.5.1

RECOMMENDATIONS

Ensure all systems are patched and updated.

Exploit Targets VMware Aria Operations for Logs Vulnerability

A critical security vulnerability in the VMware Aria Operations for Logs analysis tool for cloud management — known as CVE-2023-20864 — has an exploit available that allows threat actors to run arbitrary code as root, no user interaction necessary.

The flaw was originally patched in April, along with several security updates for less severe vulnerabilities.

It is strongly advised that users apply the patches to this vulnerability to prepare for any incoming attacks should they arise, especially given that VMware is one of threat actors targets when it comes to the cloud.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Citrix Addresses Two Vulnerabilities in Citrix Secure Access Client

Citrix published a security update to address one vulnerability in Citrix Secure Access client for Windows and another one in Citrix Secure Access client for Ubuntu.

The first security issue is a Remote code execution in Citrix Secure Access client for Ubuntu and tracked as CVE-2023-24492 with 9.6 in CVSS.

The second one is CVE-2023-24491, it is rated as 7.8 in CVSS and exists in Citrix Secure Access client for Windows, Citrix described it as Local Privilege escalation to NT AUTHORITY\SYSTEM.

Citrix addressed both of these bugs in Secure Access client for Windows 23.5.1.3 and later releases as well as Citrix Secure Access client for Ubuntu 23.5.2 and later releases.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Cisco SD-WAN vManage Vulnerability Enables Unauthorized Access

A vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software could allow an unauthenticated, remote attacker to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance.

This vulnerability is due to insufficient request validation when using the REST API feature. An attacker could exploit this vulnerability by sending a crafted API request to an affected vManage instance. A successful exploit could allow the attacker to retrieve information from and send information to the configuration of the affected Cisco vManage instance. This vulnerability only affects the REST API and does not affect the web-based management interface or the CLI.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

RECOMMENDATIONS