Threat advisories

Top Middle East Cyber Threats – July 1st, 2025 

By helpag

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats. 

Cisco Releases Critical and Medium Security Fixes Addressing ISE (Identity Services Engine) Vulnerabilities

Cisco has released three security fixes: two rated Critical and one Medium.

{Critical] CVE-2025-20281: A flaw in a Cisco ISE API (Application Programming Interface) may allow unauthenticated remote attackers to execute code as root due to improper input validation.

[Critical] CVE-2025-20282: An internal API vulnerability in Cisco ISE/ISE-PIC enables unauthenticated attackers to upload and execute files as root via insufficient file validation.

[Medium] CVE-2025-20264: Cisco ISE’s web interface may allow authenticated attackers (via SAML SSO = Security Assertion Markup Language Single Sign-On to bypass authorization for limited admin functions, potentially triggering system restarts.

RECOMMENDATIONS    

Ensure all systems are patched and updated.

Researchers Uncover OneClik Targeting Energy Sector with Cloud-Blended APT Tools

Researchers have tracked a sophisticated APT campaign, namedOneClik, targeting the energy, oil, and gas sectors. The attack begins with phishing emails directing victims to fake “hardware analysis” websites that silently deploy a ClickOnce-based .NET loader called OneClikNet. This loader abuses AppDomainManager hijacking to inject a Go-based backdoor named RunnerBeacon, which communicates covertly through legitimate AWS services such as CloudFront, API Gateway, and Lambda. By leveraging these trusted cloud platforms, the malicious traffic blends seamlessly with normal activity, making detection difficult. T

While attribution remains uncertain, the campaign shows strong technical overlaps with APT41—including .NET loader abuse, encrypted in-memory payloads, and cloud-based staging—suggesting a likely East Asia–nexus actor behind OneClik.

RECOMMENDATIONS 

Apply the principle of least privilege to minimize access to sensitive systems and data.

Enforce Multi-Factor Authentication (MFA) on all accounts, especially administrative ones.

Regularly patch and update internet-facing systems to reduce vulnerability risks.

Conduct user awareness training on phishing and social engineering threats.

Monitor your network for abnormal activity and known Indicators of Compromise (IOCs).

Google Chrome Addresses Three Medium-Severity Vulnerabilities

Google Chrome has released three security fixes, all rated medium severity

The update addresses the following CVEs:

CVE-2025-6555: A use-after-free vulnerability in the Animation component (affecting versions prior t138.0.7204.49) could allow a remote attacker to exploit heap corruption via a crafted HTML page.

CVE-2025-6556: Insufficient policy enforcement in the Loader component may allow a remote attacker to bypass content security policies via a specially crafted HTML page.

CVE-2025-6557: Insufficient data validation in DevTools on Windows could allow a remote attacker to execute arbitrary code if a user performs specific UI gestures on a crafted HTML page.

RECOMMENDATIONS    

Ensure all systems are patched and updated.

Notepad++ Fixes Privilege Escalation Vulnerability in Installer

Notepad++ has released one security fix rated High.

The update addresses CVE-2025-49144, a privilege escalation vulnerability in Notepad++ versions 8.8.1 and earlier The flaw stems from insecure executable search paths in the installer, which could allow unprivileged users to gain SYSTEM-level access. An attacker might exploit this by using social engineering or clickjacking to trick a user into placing a malicious executable in the same directory as the installer (commonly the Downloads folder). When the installer is launched, the malicious file is executed with elevated privileges.
This issue is fixed in version 8.8.2.

RECOMMENDATIONS    

Ensure all systems are patched and updated.

LulzSec Black Issues Geopolitical Threats Targeting Global Entities

Help AG’s Cyber Threat Intelligence (CTI) team observed a public threat message from the hacktivist group LulzSec Black, using the hashtag #Op_The_World. The statement includes explicit threats against multiple countries and organizations — notably the UAE, Saudi Arabia, Egypt, Israel, and the USA — while excluding Yemen, Lebanon, and Iran from its list of targets.

The group stated they are shifting from defense to launching cyber attacks, aiming for “digital dominance,” which suggests potential real-world cyber operations ahead.

Help AG assesses this development as part of a broader trend in which hacktivist groups increasingly rely on aggressive rhetoric and online threats to spread their views, create fear, and lay the groundwork for future attacks. These threats could be followed by website defacements, DDoS attacks, or data leaks, with government, media, finance, and energy sectors likely targets.

RECOMMENDATIONS 

Ensure use of anti-DDoS (Distributed Denial of Service) solutions at both network and application levels.

Increase monitoring of public-facing infrastructure for signs of defacement or DDoS attacks.

Reinforce geo-IP filtering and rate-limiting controls for high-risk regions.

Ensure regular backups and rapid restoration procedures are in place.

Harden access control on high-visibility web assets, especially those representing national identity
Maintain communication readiness to respond publicly to any digital vandalism.

Update WAF and IPS signatures to detect hacktivist-style payloads and web shells.

Microsoft Releases High-Severity Fix for Dynamics 365 Information Exposure

Microsoft has released one security fix rated High.

The update addresses the following CVE:

[High] CVE-2025-49715: . In a Dynamics 365 FastTrack implementation, exposed personal information could allow an unauthorized person to access and share sensitive data over the network.

RECOMMENDATIONS    

Ensure all systems are patched and updated.

Cybernews Uncovers Massive 16 Billion Credential Breach Impacting Major Platforms

Cybernews researchers uncovered 16 billion exposed login credentials across 30 datasets, making this one of the largest credential breaches in history. These datasets, mainly sourced from infostealer malware and credential-stuffing operations, were discovered in unsecured Elasticsearch and object storage instances.

The data covers platforms like Google, Apple, Telegram, GitHub, Facebook, and government services. Structured with URLs, usernames, and passwords, the datasets include recent and legacy infostealer logs—often containing cookies, tokens, and metadata—posing a serious risk for organizations without MFA or proper credential hygiene.

This breach was not publicly reported before this research, with the largest dataset alone holding over 3.5 billion records. Threat actors can exploit this data for mass account takeovers, identity theft, ransomware, and business email compromise (BEC).

The article does not specify who aggregated the data. It could be threat actors or Initial Access Brokers compiling leaks for exploitation or researchers unintentionally exposing breach data via misconfigured storage. However, due to its unencrypted state and size, it’s unlikely maintained by researchers and more likely used by threat actors for resale, credential stuffing, phishing, or BEC.

Help AG’s CTI team is actively monitoring related infostealer activity and tracking the presence of these datasets on dark web forums, Telegram groups, and credential marketplaces. Customers subscribed to Help AG’s Digital Risk Protection services are being proactively alerted and monitored for any use of their domains or emails in the leaked data.

RECOMMENDATIONS 