Threat advisories

Top Middle East Cyber Threats – June 6 2023

Jun-2023 8 min to read

232

Top Middle East Cyber Threats – June 6 2023

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:   

GoldenJackal APT Group Targets Governmental and Diplomatic Entities in the Middle East

A recent report by Kaspersky has identified GoldenJackal APT group which has been active since 2019 and primarily targets governmental and diplomatic entities in the Middle East and South Asia. The initial infection vector is mostly malicious documents. The group utilizes many techniques for stealth including identifying installed programs and writing their executable within these program folders with fitting names and time stamps that match application installation or modification dates. The group specifically targets machines with lower protection levels such as those lacking EDR.
The GoldenJackal APT group is fast to adopt zero days.For example, when the Follina vulnerability was disclosed, they started using it the next day.

The group’s malwares include JackalControl, JackalWorm, JackalSteal, , and JackalScreenWatcher.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Ensure all machines have Endpoint protection.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknow MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and shared IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Iranian Threat Actors Target UAE Organizations with Custom PowerShell Backdoor

The Iranian threat actor (APT34) has been discovered attacking organizations in the United Arab Emirates with a custom, targeted PowerShell-based backdoor ( PowerExchange ). This backdoor’s C2 protocol is email-based, with the the victim’s Microsoft Exchange server serving as the C2 server. One notable discovery on the compromised Microsoft Exchange servers was a novel web shell, dubbed ExchangeLeech, due to its unique ability to harvest credentials

The infection chain within the targeted organization’s network was carried out through email phishing. A user opened a zip file named Brochure.zip that contained a malicious .NET executable with the same name: Brochure.exe. This file was dropped into the %TEMP% folder. The file is an executable with an Adobe PDF icon and running it displays an error message box.

The executable is a dropper that installs and executes the final payload. It creates three files in the C:\Users\Public\MicrosoftEdge folder from hardcoded base64 strings in the executable. It then sets persistency for autosave.exe using a scheduled task called MicrosoftEdgeUpdateService that runs periodically every five minutes.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknow MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

GitLab Strongly Recommends Patching CVE-2023-2825

GitLab has released an emergency security update, version 16.0.1, to address a maximum severity (CVSS v3.1 score: 10.0) path traversal flaw tracked as CVE-2023-2825.

GitLab is a web-based Git repository for developer teams that need to manage their code remotely and has approximately 30 million registered users and one million paying customers.

The vulnerability has impacted GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0, but all older versions weren’t affected.

The flaw arises from a path traversal problem that allows an unauthenticated attacker to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.

The exploitation of CVE-2023-2825 could expose sensitive data, including proprietary software code, user credentials, tokens, files, and other private information.

All users of GitLab 16.0.0 are recommended to update to version 16.0.1 as soon as possible to mitigate the risk.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Threat Actor Compromises Barracuda ESG Appliances via Zero-day

Barracuda Networks has recently identified a remote command injection vulnerability (CVE-2023-2868) present in the Barracuda Email Security Gateway (appliance form factor only) versions 5.1.3.001-9.2.0.006 that allows a remote attacker to execute a command with the privileges of the Email Security Gateway product.

A recent attack has been discovered targeting some of ESG appliances clients via the zero-day vulnerability (CVE-2023-2868) resulted in the deployment of three types of malware and data exfiltration.

SALTWATER, a trojanized module for the Barracuda SMTP daemon (bsmtpd), which serves as a backdoor that has proxy and tunneling capabilities and allows attackers to upload or download arbitrary files and execute commands.
SEASPY, an x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP).
SEASIDE, a Lua-based module for the Barracuda SMTP daemon (bsmtpd) that establishes a connection to the attackers’ C2 server and helps establish a reverse shell (to provide access to the system).

RECOMMENDATIONS

Ensure your ESG appliance is receiving and applying updates, definitions, and security patches from Barracuda.
Discontinue the use of the compromised ESG appliance and contact Barracuda support (support@barracuda.com) to obtain a new ESG virtual or hardware appliance.
Rotate any applicable credentials connected to the ESG appliance:Any connected LDAP/AD,Barracuda Cloud Control,FTP Server,SMB, andAny private TLS certificates
Monitor your network for abnormal behaviours and shared IoCs.
Ensure frequent backups are in place.

Google Chrome Update Fixes Multiple Vulnerabilities

Google published a security update to address multiple vulnerabilities in Chrome browser that are fixed now in Chrome latest version (114.0.5735.90 for Linux and Mac, 114.0.5735.90/9 for Windows).

The update includes 16 security fixes and 13 of them were contributed by external researchers. Out of the 13 contributed fixes, eight were assigned as high, four as medium and one as low in risk level.

RECOMMENDATIONS

Ensure all systems are patched and updated.

PostalFurious SMS Campaign Targets UAE Citizens for Data Theft

Residents in the United Arab Emirates have been targeted by SMS campaigns that aim to steal payment and personal details. Previously targeted at users in Asia-Pacific, the campaign has been named PostalFurious as it impersonates postal services.

In this campaign, payment details are collected via scam SMS messages asking the recipient to pay fees for tolls and deliveries. The URLs from the texts lead to fake branded payment pages that ask for personal details, such as name, address, and credit-card information. The phishing pages also appropriate the official name and logo of the impersonated postal service provider and can only be accessed from UAE-based IP addresses.

The text messages contain a shortened URL which features a fake branded payment page and has been active since at least April 15 of this year. Initially the campaign impersonated a UAE toll operator, but a new version was launched on April 29, spoofing the UAE postal service.

RECOMMENDATIONS

Conduct regular training sessions to educate employees on SMS scams.
Be cautious of unknown senders and don’t click untrusted links.
Don’t share personal information publicly.
Enable SMS filters to discard SMS with unknown origin.

Researchers Warn of Surge in TrueBot Activity

Researchers have issued a warning about a surge of TrueBot activity in May 2023. TrueBot is a downloader that gathers information from compromised systems and uses infected systems to carry out other malicious activities. As observed recently with Clop Ransomware, the activity also included dumps of LSASS, exfiltration of data, and system and process enumerations.

While TrueBot was previously known for using malicious emails to distribute their malware, operators have recently exploited a critical vulnerability, tracked as CVE-2022-31199 (CVSS score: 9.8) in Netwrix auditor, as well as Raspberry Robin as delivery vectors.

The malware has been active since 2017, and some researchers linked it to the Silence Group. However, a recent investigation has associated it with the Russian threat actor TA505 (Evil Corp).

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknow MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Mysterious Team Continuous to Targets UAE sectors

In our ongoing commitment to monitoring the current DDoS campaign, the Help AG CTI team has observed that the Bangladesh threat actor, known as the Mysterious Team, has recently targeted entities in the United Arab Emirates related to both the banking and aerospace sectors.

RECOMMENDATIONS

Ensure having sufficient bandwidth in your organization and ensure redundancy by spreading traffic using load balancers.
Configure your network hardware against DDoS attacks by filter unwanted ports and protocols.
Deploy a DDoS protection solution to protect your servers from both network and applications layer DDoS attacks.
Have a response plan: Having a plan in place for responding to DDoS attacks can help you quickly and effectively respond to the attack and minimize its impact.
Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files, or attachments.
Enable software restriction policies and application whitelisting.
Enforce the Restricted PowerShell script execution policy.
Monitor your network for abnormal behavior and shared IoCs.
Ensure frequent backups are in place.