Top Middle East Cyber Threats – June 20 2023
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead.
Anonymous Sudan Allegedly Compromises Millions of Microsoft Accounts
In an ongoing DDoS campaign targeting the UAE, the hacktivist group, Anonymous Sudan, has allegedly extended its efforts to US companies and infrastructure. This has resulted in Microsoft Outlook experiencing significant downtime for thousands of American users. In addition, the threat actor claims to have compromised multiple Microsoft systems and asserts access to data of more than 30 million Microsoft customers.
Specifically, throughout the past week, numerous Microsoft services have been targeted, including Outlook, OneDrive, the Microsoft sign-up service, Bing, and most recently, portal.azure.com. At this point, information regarding this potential data theft is limited, but continuous monitoring is being carried out.
Help AG’s CTI team will remain vigilant and provide updates as this situation progresses.
RECOMMENDATIONS
- Make sure you have sufficient bandwidth in your organization and ensure redundancy by spreading traffic using load balancers.
- Configure your network hardware against DDoS attacks by filtering unwanted ports and protocols.
- Deploy a DDoS protection solution to protect your servers from both network and applications layer DDoS attacks.
- Have a response plan: Having a plan in place for responding to DDoS attacks can help you quickly and effectively respond to the attack and minimize its impact.
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files, or attachments.
- Enable software restriction policies and application whitelisting.
- Enforce the Restricted PowerShell script execution policy.
- Monitor your network for abnormal behaviour and shared IoCs.
- Ensure frequent backups are in place.
Fortinet Patches Critical SSL VPN Vulnerability
Fortinet has released new Fortigate firmware updates that fix an undisclosed, critical pre-authentication remote code execution vulnerability in SSL VPN devices even if MFA is enabled.
The vulnerability is not officially confirmed by vendor. Fortinet is known to push out security patches prior to disclosing critical vulnerabilities to give customers time to update their devices before threat actors reverse engineer the patches. In the past, SSL-VPN flaws have been exploited by threat actors just days after patches are released.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
GitLab Addresses Severe Path Traversal Flaw with Emergency Update
GitLab has released an emergency security update, version 16.0.1, to address a maximum severity (CVSS v3.1 score: 10.0) path traversal flaw tracked as CVE-2023-2825.
GitLab is a web-based Git repository for developer teams that need to manage their code remotely and has approximately 30 million registered users and one million paying customers.
The vulnerability has impacted GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0, but older versions weren’t affected.
The flaw arises from a path traversal problem that allows an unauthenticated attacker to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.
The exploitation of CVE-2023-2825 could expose sensitive data, including proprietary software code, user credentials, tokens, files, and other private information.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Google Chrome Update Fixes Multiple Vulnerabilities
Google published a security update to address multiple vulnerabilities in Chrome browser that are now fixed in Chrome latest version (114.0.5735.133 for Mac and Linux and 114.0.5735.133/134 for Windows).
The most severe vulnerability reported was CVE-2023-3214 with Critical risk level and described as Use after free in Autofill payments.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Espionage Group Exploits VMware Tools Vulnerability for Backdoor Deployment
VMware Tools contains an Authentication Bypass vulnerability in the vgauth module. VMware has evaluated the severity of this issue as Low with a maximum CVSSv3 base score of 3.9.
A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.
Although CVE-2023-20867 has low severity level, it is known to be exploited in recent attacks by a Chinese cyber espionage group (UNC3886) to deploy backdoors on guest VMs from compromised ESXi hosts where they escalated privileges to root.
To remediate CVE-2023-20867, VMware tools need to be updated to the fixed version (12.2.5).
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Microsoft Addresses 69 New Vulnerabilities in June 2023 Update
Microsoft has fixed 69 vulnerabilities in the June 2023 update addressing CVEs in Microsoft Windows and Windows Components, Office and Office Components, Exchange Server, Microsoft Edge (Chromium-based), SharePoint Server, .NET and Visual Studio, Microsoft Teams, Azure DevOps, Microsoft Dynamics, and the Remote Desktop Client. This is in addition to 25 CVEs that were previously released by third parties and are now being documented in the Security Updates Guide.
Out of the 94 patches included in this patch, 6 are rated Critical, 9 High, 71 Important, 4 Medium, 2 Moderate, and 2 as Low severity. None of the released CVEs released are listed as being publicly known or under active attack at the time of release.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
References:
- https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaw-in-fortigate-ssl-vpn-devices-patch-now/
- https://olympecyberdefense.fr/1193-2/
- https://twitter.com/LexfoSecurite/status/1667898590713266177
- https://twitter.com/cfreal_/status/1667852157536616451?cxt=HHwWhoC2veuss6UuAAAA
- https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop_13.html
- https://www.vmware.com/security/advisories/VMSA-2023-0013.html
- https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass
- https://www.zerodayinitiative.com/blog/2023/6/13/the-june-2023-security-update-review