Threat advisories

Top Middle East Cyber Threats – March 19, 2024 

Mar-2024 4 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats. 

In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead. 

Earth Krahang Targets Global Public-Facing Servers with Sophisticated Attacks

The cyber threat group Earth Krahang has been identified targeting public-facing servers and deploying spear-phishing emails to disseminate previously unknown backdoors, according to TrendMicro.

The attacks have spanned multiple sectors, including finance, insurance, NGOs, think tanks, healthcare, IT, manufacturing, media, military, real estate, retail, sports, and tourism, with a global reach that includes the United Arab Emirates among the affected regions.

Earth Krahang exploits access to government infrastructure to target additional government entities, misusing it to host malicious payloads, proxy attack traffic, and dispatch spear-phishing emails to government-related targets through compromised government email accounts. The group employs a variety of tactics, such as installing VPN servers on compromised public-facing servers to penetrate victims’ private networks and conducting brute-force attacks to obtain email credentials. These credentials are then used to extract sensitive emails from victims.

Additionally, Earth Krahang engages in extensive vulnerability scanning using tools like sqlmap, nuclei, xray, vscan, pocsuite, and wordpressscan. These scanning activities are aimed at identifying vulnerabilities in web servers, granting unauthorized server access, and facilitating the deployment of web shells and backdoors.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Cisco Fixes High-Severity Vulnerability in Secure Client Products

Cisco has issued a patch for a high-severity vulnerability (CVE-2024-20337) associated with Carriage Return Line Feed Injection due to insufficient validation of user-supplied input.

A vulnerability in the SAML authentication process of Cisco Secure Client could enable an unauthenticated, remote attacker to execute a carriage return line feed (CRLF) injection attack against a user.

This vulnerability could be exploited if an attacker convinces a user to click on a manipulated link during a VPN session setup. Successful exploitation could permit the attacker to run arbitrary script code in the browser or access sensitive browser-based data, including a valid SAML token.

Below is the information on the fixed releases –

Cisco Secure Client Release	First Fixed Release
Earlier than 4.10.04065	Not vulnerable.
4.10.04065 and later	4.10.08025
5.0	Migrate to a fixed release.
5.1	5.1.2.42

RECOMMENDATIONS

Ensure all systems are patched and updated.

Apple Addresses Zero Day Vulnerabilities in macOS

Apple has released security updates addressing multiple vulnerabilities in macOS Sonoma, macOS Ventura, macOS Monterey, and Safari. The updates include patches for a total of 76 CVEs, including two zero-day vulnerabilities, CVE-2024-23296, and CVE-2024-23225, which have been resolved on macOS platforms.

The latest available versions are – Safari 17.4, macOS Sonoma 14.4, macOS Ventura 13.6.5, macOS Monterey 12.7.4.

Regarding the zero-day vulnerabilities exploited in the wild, an attacker with arbitrary kernel read and write capability may potentially circumvent kernel memory protections. The memory corruption issue has been mitigated through enhanced validation measures.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Fortinet Security Update Fixes Critical Vulnerabilities

Fortinet has released security updates to address vulnerabilities in multiple products, including FortiClientEMS, FortiOS, FortiProxy, and FortiWLM.

Two vulnerabilities have been classified as Critical severity, affecting the FortiOS and FortiClientEMS products. Both vulnerabilities could potentially allow the execution of unauthorized code or commands and have been assigned a CVSS score of 9.3.

CVE-2023-48788: This vulnerability, classified as ‘SQL Injection’ (CWE-89) due to the improper neutralization of special elements in an SQL command, has been identified in FortiClientEMS. It may allow an unauthenticated attacker to execute unauthorized code or commands through specifically crafted requests.

CVE-2023-42789 and CVE-2023-42790: A vulnerability has been discovered in both FortiOS and FortiProxy’s captive portal. It presents an out-of-bounds write issue (CWE-787) and a stack-based buffer overflow (CWE-121). This vulnerability could enable an internal attacker with access to the captive portal to execute arbitrary code or commands by exploiting specially crafted HTTP requests.

RECOMMENDATIONS