Top Middle East Cyber Threats – June 11, 2024 

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead.

Daixin Team Ramps Up Ransomware Attacks on ESXi Servers

Recently there was a surge in ransomware activity, specifically targeting infrastructure, with a focus on compromising ESXi servers.

The observed threat is attributed to the Daixin Team ransomware group. The threat actor is a financially motivated ransomware group in operation since June 2022 and known for its sophisticated tactics and destructive capabilities. Like other ransomware groups, acquiring credentials and exploiting vulnerabilities in public-facing applications are known to be used as a primary entry point into the networks.

The Daixin Team ransomware group has been observed targeting ESXi servers, leveraging various attack vectors to gain unauthorized access. Upon infiltration, the actors will encrypt the critical data stored on these servers, demanding ransom payments for decryption keys.

RECOMMENDATIONS

• Restrict access to the hypervisor and virtual environment to authorized identities or specific subnets (restricted from VPN, other zones, and through network segmentation).
• Keep hypervisor software updated with the latest patches to minimize the risk of vulnerabilities being exploited.
• Use firewalls to separate the virtual environment from the external network to limit the impact of an attack.
• Enable encryption for virtual machine data to make it harder for attackers to steal sensitive information.
• Secure Boot is a security standard developed to ensure that a device boots using only software trusted by the Original Equipment Manufacturer (OEM).
• MFA is imperative to mitigate the risk of unauthorized access, even if login credentials are compromised. Enabling MFA across all systems and accounts adds an additional layer of security against Daixin Team’s tactics.
• DRP tools are strongly recommended to detect and respond to threats posed by Daixin Team. These tools offer proactive monitoring capabilities to identify unauthorized access attempts and potential data leaks.
• Continuously monitor your network for abnormal behaviours and IoCs
• Keep all systems up-to-date with the latest patches and updates.
• Enable software restriction policies and application whitelisting to control which applications can run on your systems.
• Regularly back up your data to ensure you can recover in case of an attack.

Sylhet Gang and Black Maskers Army Heighten Attacks on .ae Domains

Recent intelligence has identified heightened activity from the hacktivist groups Sylhet Gang and Black Maskers Army. Both groups have declared their intent to target all domains with the .ae extension.

Group Profiles:

1. Sylhet Gang:
   • An emerging hacktivist group with a focus on disrupting services in the Middle East.
   • Known for their web-based exploit tactics and defacement campaigns.
2. Black Maskers Army:
   • Hacktivist group notorious for targeting various entities within the UAE.
   • Specializes in DDoS attacks and has a history of successful breaches.

Given the declared intentions of Sylhet Gang and Black Maskers Army, it is imperative to enhance your security posture immediately. By following the recommendations outlined in this advisory, you can mitigate the risks associated with these hacktivist activities.

RECOMMENDATIONS

• Ensure sufficient bandwidth in your organization and redundancy by spreading traffic using load balancers.
• Configure your network hardware to filter unwanted ports and protocols against DDoS attacks.
• Deploy DDoS protection solutions to safeguard your servers from both network and application layer DDoS attacks.
• Ensure all systems are patched and updated.
• Maintain constant monitoring of all web-based activities for unusual or suspicious behaviour.
• Regularly review logs for any signs of attempted or successful exploitation.

Vidar Stealer Spreads Through Fake KMSPico Activator Tool

Recent attacks have revealed that the Vidar stealer is being spread through a fake KMSPico activator tool. The attackers use Java dependencies and a malicious AutoIt script to disable Windows Defender, eventually decrypting the Vidar payload using shellcode.

The malware was hosted on a command-and-control (C2) server, which tricked users into downloading a fake activator tool. The C2 server was protected by Cloudflare Turnstile and to access the download, users had to pass a Cloudflare Turnstile verification by entering a code. The downloaded ZIP package contained Java dependencies and the malicious executable. It is noticed that Vidar Stealer uses Telegram for the Dead Drop Resolver to store the C2 IP address.

RECOMMENDATIONS

• Ensure all systems are patched and updated.
• Avoid clicking or opening untrusted or unknown links, files, or attachments.
• Don’t allow Macros for unknown MSOffice files.
• Enable software restriction policies and application whitelisting.
• Ensure that your email server is configured to block any suspicious files.
• Enforce the Restricted PowerShell script execution policy for end users.
• Monitor your network for abnormal behaviours and IoCs.
• Ensure frequent backups are in place.
• Educate employees about detecting and reporting phishing / suspicious emails.

UAC-0020 Group Targets Defenses with SPECTR Malware

The APT UAC-0020 (Vermin) group has been discovered targeting defenses through phishing emails. This group consists of individuals identified as employees of law enforcement agencies in the temporarily occupied Luhansk region.

An email was sent to the victim with a password-protected RAR attachment containing malicious batch scripts and installers. The batch scripts install SPECTR malware, which functions as an information stealer. The “sync.exe” file contained both legitimate SyncThing components and SPECTR malware files, including auxiliary libraries and scripts.

The malware used the robocopy utility to stage sensitive information on the machine and later exfiltrated it using the legitimate “SyncThing” software.

RECOMMENDATIONS

• Ensure all systems are patched and updated.
• Avoid clicking or opening untrusted or unknown links, files, or attachments.
• Don’t allow Macros for unknown MSOffice files.
• Enable software restriction policies and application whitelisting.
• Ensure that your email server is configured to block any suspicious files.
• Enforce the Restricted PowerShell script execution policy for end users.
• Monitor your network for abnormal behaviours and IoCs.
• Ensure frequent backups are in place.
• Educate employees about detecting and reporting phishing / suspicious emails.

Google Chrome Releases Security Channel Update for Desktop

Google has published a security update to address multiple vulnerabilities in the Chrome browser, which are now fixed in the latest version 125.0.6422.141/.142 for Windows and Mac, and 125.0.6422.141 for Linux platforms.

The update includes 11 security fixes, with 7 vulnerabilities identified as High severity. These high-severity vulnerabilities were discovered by external researchers.

RECOMMENDATIONS

• Ensure all systems are patched and updated.

References

• https://www.esentire.com/blog/autoit-delivering-vidar-stealer-via-drive-by-downloads
• https://cert.gov.ua/article/6279600
• https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_30.html