Threat advisories

Top Middle East Cyber Threats – June 25th, 2024  

3 min to read
Top Middle East Cyber Threats – June 25th, 2024  

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats. 

In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead. 

SneakyChef Espionage Group Targets Government Agencies 

Cisco Talos has identified a new remote access trojan (RAT) named SpiceRAT, alongside the known malware SugarGh0st, deployed by the threat actor SneakyChef. These malwares target government agencies in EMEA and Asia via phishing campaigns utilizing LNK files, HTA files, and SFX RAR as initial access vectors. 

Attack Methods: 

  1. SFX RAR Files: When victims run the executable, it results in a decoy document, a DLL loader, encrypted SugarGh0st, and a malicious VB script being dropped and executed. Persistence is achieved by modifying the UserInitMprLogonScript registry key.
     
  2. LNK Files: A malicious RAR file contains a Windows shortcut (LNK), which, when extracted and executed, runs a malicious executable and installs SpiceRAT.
     
  3. HTA Files: Delivered via a RAR archive, the HTA file runs a VB script that drops and executes a malicious downloader disguised as “Microsoft.txt” to download and perform further malicious activities. 

RECOMMENDATIONS 

  • Ensure all systems are patched and updated. 
  • Avoid clicking or opening untrusted or unknown links, files, or attachments. 
  • Don’t allow Macros for unknown MS Office files. 
  • Enable software restriction policies and application whitelisting. 
  • Ensure that your email server is configured to block any suspicious files. 
  • Enforce the Restricted PowerShell script execution policy for end users. 
  • Monitor your network for abnormal behaviors and IoCs. 
  • Ensure frequent backups are in place. 
  • Educate employees about detecting and reporting phishing / suspicious emails. 

Smishing Triad Launches Phishing Attacks to Steal Personal and Financial Information 

Researchers have identified a new activity of the Smishing Triad. The group’s latest tactic involves sending malicious messages via iMessage and SMS. The goal is to steal personal and financial information. The code and templates used by the attackers in this smishing kit are consistent with those observed in previous instances involving the Smishing Triad. Once the victim clicks on the phishing link, the actors display a payment form and notification demanding that the victim arrange payment and provide credit card details to cover additional fees supposedly required to receive a package. 

The Smishing Triad is recognized for targeting customers of online banking, e-commerce, and payment systems across numerous countries worldwide. 

RECOMMENDATIONS 

  • Avoid clicking or opening untrusted or unknown links. 
  • Verify the source and report suspicious messages directly. 
  • Install and regularly update security software on your mobile device. This can help detect and block known smishing attacks. 
  • Monitor your network for abnormal behaviors and IoCs. 
  • Ensure frequent backups are in place. 
  • Educate employees about detecting and reporting phishing / suspicious messages. 

Google Chrome Update Addresses Critical Vulnerabilities 

Google has published a security update to address multiple vulnerabilities in the Chrome browser, which are now fixed in the latest version (126.0.6478.114/115 for Windows and Mac, and 126.0.6478.114 for Linux). 

The update includes six security fixes. All four of these vulnerabilities are assigned a high severity level.

RECOMMENDATIONS 

  • Ensure all systems are patched and updated. 

Fortinet Releases Security Update Bulletins  

Fortinet has released a security update bulletin to address vulnerabilities in multiple Fortinet products, including FortiOS, FortiProxy, FortiSwitchManager, FortiPAM, FortiSOAR, FortiClientWindows, FortiClientMac, FortiClientLinux, and FortiPortal software. 

This update includes one high severity, five medium severity, and two low severity vulnerabilities. 

CVE-2024-23110 – Multiple buffer overflows in diag npu command: Multiple stack-based buffer overflow vulnerabilities in the command line interpreter of FortiOS may allow an authenticated attacker to execute unauthorized code or commands via specially crafted command line arguments. This CVE has been assigned a CVSS score of 7.4. 

RECOMMENDATIONS 

  • Ensure all systems are patched and updated. 

References 

https://blog.talosintelligence.com/sneakychef-sugarghost-rat/

https://blog.talosintelligence.com/new-spicerat-sneakychef/

https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop_18.html

https://www.resecurity.com/blog/article/smishing-triad-is-targeting-pakistan-to-defraud-banking-customers-at-scale 

https://fortiguard.fortinet.com/psirt/FG-IR-23-460

https://fortiguard.fortinet.com/psirt/FG-IR-24-036

https://fortiguard.fortinet.com/psirt/FG-IR-23-471

https://fortiguard.fortinet.com/psirt/FG-IR-23-495

https://fortiguard.fortinet.com/psirt/FG-IR-23-356

https://fortiguard.fortinet.com/psirt/FG-IR-24-170

https://fortiguard.fortinet.com/psirt/FG-IR-23-423

https://fortiguard.fortinet.com/psirt/FG-IR-24-128

 

Share this article

title
Upcoming event

Black Hat MEA 2024

  • KSA
  • Riyadh