At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
Hacktivist Group Signals Imminent Return to Cyber Operations
Help AG CTI team has identified a public message from the Tunisian Maskers Cyber Force, a known hacktivist group, signaling an imminent return to cyber operations. The message, shared via social platforms, includes anti-Western and anti-Gulf statements, explicitly referring to regions in North America, the Middle East, and the Gulf as hostile entities.
While no immediate indicators of attack were disclosed, the tone and language of the message suggest preparations for politically motivated cyber activity. The statement “we are working in silence” implies pre-operational actions, and entities within the mentioned regions are advised to exercise increased vigilance.
RECOMMENDATIONS
- Ensure the use of anti-DDoS solutions for both network and application layers.
- Enhance monitoring for threat actor chatter referencing UAE-based assets.
- Implement geo-fencing and rate limiting on critical web applications.
VMware Addresses Critical Vulnerability in Bitnami Helm Charts
VMware has released a security update addressing one critical vulnerability. The issue affects multiple Bitnami Helm charts, including appsmith, drupal, and wordpress, which mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) located within the web server’s document root. This misconfiguration could allow unauthenticated access to sensitive credentials via HTTP/S if the application is exposed externally.
The vulnerability, tracked as CVE-2025-41240, impacts deployments using the default setting usePasswordFiles=true, which mounts secrets as files within the container’s filesystem. A remote attacker could potentially exploit this issue by accessing specific URLs to retrieve those secrets, particularly if the application is publicly exposed. Users are strongly advised to apply the latest updates to mitigate the risk.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Google Releases Security Update Addressing High-Risk Chrome Vulnerabilities
Google has released a security update to address two vulnerabilities in Google Chrome, resolved in the latest version (138.0.7204.168/.169 for Windows and macOS, and 138.0.7204.168 for Linux). The update will be rolled out over the coming days and weeks.
This release includes three security fixes, two of which were contributed by external researchers. Both contributed vulnerabilities are rated as high severity and are identified as Type Confusion in V8, Chrome’s JavaScript engine.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Help AG CTI Identifies Cyberattack Claims Targeting Gulf Region
Help AG CTI team has identified a public claim by the Moroccan Black Cyber Army (MBCA) on Telegram, alleging responsibility for coordinated cyberattacks targeting critical infrastructure in the United Arab Emirates. The threat actor states that the attacks were politically motivated and expresses hostility toward the Gulf region.
MBCA claims to have disrupted services of several government and financial institutions and included check-host links as proof of a successful DDoS (Distributed Denial of Service) attack.
RECOMMENDATIONS
- Deploy DDoS mitigation solutions at both the application and network layers to absorb and filter malicious traffic.
- Utilize a Web Application Firewall (WAF) to identify and block harmful requests.
- Activate real-time traffic monitoring to quickly detect and respond to unusual activity.
- Implement failover and redundancy strategies to maintain availability of critical services.
- Ensure all systems are patched and updated.
APT39 Targets Airline and Logistics Systems in Sophisticated Cyber Campaign
An advanced persistent threat (APT) group identified as APT39 has been linked to a multi-year cyber-espionage campaign targeting airline reservation and logistics systems across Africa, Europe, and the Gulf region.
The group is deploying custom malware dubbed “Trailblazer”, delivered through spear-phishing emails containing flight-manifest-themed lures. Infections primarily affect airline help desk workstations.
It uses a stealthy C# loader that runs payloads only in memory, erasing disk artifacts, and evades detection via in-memory patching of Windows APIs such as AMSI. Command-and-control traffic mimics Microsoft Graph TLS (Transport Layer Security) telemetry.
Victims include airlines and logistics companies operating in the Middle East, Europe, and across global freight networks. Stolen data includes passenger manifests, API credentials, scanned passports, and VPN configurations, which are exfiltrated through VPS relays hosted under benign-looking domains. This campaign poses significant risks, including data theft, disruption of airport operations, and the potential for physical sabotage.
RECOMMENDATIONS
- Implement kernel-level integrity monitoring to detect in-memory patching of security tools.
- Increase monitoring of outbound TLS traffic, especially masquerading Microsoft Graph connections.
- Harden endpoint security to detect fileless malware and memory-resident threats.
- Train staff on spear-phishing risks and apply strict email filtering for suspicious flight-manifest request
Microsoft Releases Security Fix for SharePoint Path Traversal Vulnerability
Microsoft has released a security update addressing one vulnerability rated as Medium severity. The update fixes CVE-2025-53771, which affects Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition. The vulnerability involves improper limitation of a pathname to a restricted directory (path traversal), allowing an authorized attacker to perform spoofing over a network.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Fortinet Patches Medium-Severity Flaws in FortiIsolator and FortiSandbox
Fortinet has released two security fixes, both rated as Medium severity. The update addresses CVE-2024-32124, an improper access control vulnerability [CWE-284] in FortiIsolator versions 2.4.4, 2.4.3, and all 2.3 versions. This flaw in the logging component may allow a remote authenticated read-only attacker to alter logs via a crafted HTTP request.
The update also fixes CVE-2024-27779, an insufficient session expiration vulnerability [CWE-613] affecting FortiSandbox versions 4.4.4 and below, 4.2.6 and below, 4.0 all versions, 3.2 all versions, and FortiIsolator versions 2.4 and below through 1.2 all versions. This vulnerability may enable a remote attacker in possession of an admin session cookie to continue using that admin’s session even after the admin user has been deleted.
References
https://github.com/bitnami/charts/security/advisories/GHSA-wgg9-9qgw-529w
https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_22.html
https://cybersecuritynews.com/irans-cyber-actors-attacking-global-airlines/, https://blog.narimangharib.com/posts/2025%2F07%2F1752917718209?lang=en
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771
https://fortiguard.fortinet.com/psirt/FG-IR-24-045
https://fortiguard.fortinet.com/psirt/FG-IR-24-035
