Threat advisories

Top Middle East Cyber Threats – March 6, 2024

Mar-2024 6 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead.

Lazarus Group Targets Global Defense Sector for Cyber Espionage

A recent advisory from Germany’s Federal Intelligence Agency (BfV) and South Korea’s National Intelligence Service (NIS) confirms the involvement of threat actors in cyber campaigns targeting the defense sector, specifically companies and research centers.

An actor known as the Lazarus Group has been identified in a social engineering attack, where malicious files disguised as job offers are being distributed. This campaign, dubbed “Operation Dream Job,” has been active for three years.

Another incident exposed a potential supply-chain attack strategy, where attackers infiltrated a supplier responsible for maintaining one of the research center’s webservers. This allowed them to subsequently compromise the primary target. The actor breached the web servers and downloaded multiple malicious files, including remote control malware. They performed lateral movement using stolen credentials and exploiting the website’s file-upload vulnerability, uploaded a web shell, and sent spear-phishing emails.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

UNC1549 Targets Aerospace and Defense with Sophisticated Cyber Campaign

Mandiant has detected an ongoing campaign led by the threat actor UNC1549, targeting the aerospace, aviation, and defense sectors across Middle Eastern countries. The actors utilized Microsoft Azure cloud infrastructure for command-and-control (C2) activities, alongside employing social engineering tactics to distribute two distinct backdoors: MINIBIKE and MINIBUS.

The UNC1549 campaign employs two main approaches to gain initial access to its targets: spear-phishing and credential harvesting. Spear-phishing campaigns utilized counterfeit websites featuring geopolitical content or fraudulent job postings.

The MINIBUS backdoor, found on a counterfeit job platform, features a custom interface for code execution and advanced reconnaissance capabilities compared to the MINIBIKE backdoor.

Credential harvesting and fraudulent job postings targeted technology and defense-related roles, as well as companies associated with the aerospace, aviation, and thermal imaging sectors, as part of the campaign’s objectives.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

APT28 Exploits Ubiquiti EdgeRouters in Global Cyber Espionage Campaign

APT28, also known as Fancy Bear and Forest Blizzard, has utilized compromised Ubiquiti EdgeRouters for credential harvesting, digest collection, network traffic proxying, and hosting spear-phishing landing pages and custom tools.

These activities have focused on a range of sectors, including Aerospace & Defense, Education, Energy & Utilities, Government, Hospitality, Manufacturing, Oil & Gas, Retail, Technology, and Transportation, targeting countries in Europe and the Middle East.

Ubiquiti EdgeRouters have been compromised by Moobot, a botnet that installs OpenSSH trojans on affected hardware. Threat actors have utilized default credentials and trojanized OpenSSH server processes to gain access to EdgeRouters. Trojanized OpenSSH server binaries, downloaded from remote URLs, replaced legitimate binaries on EdgeRouters, enabling remote attackers to bypass authentication.

APT28 also exploited CVE-2023-23397, which was a zero-day vulnerability, to gather NTLMv2 digests from targeted Outlook accounts.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files or attachments.
Don’t allow Macros for unknown MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing / suspicious emails.

Google Releases Android Security Bulletin for March 2024

Google has issued a Security Bulletin for the month of March, addressing 38 vulnerabilities affecting Android devices. Among these, three have been categorized as critical, while 35 are classified as high severity.

The patches address all the CVEs covering multiple components such as the Android Framework, System, AMLogic, Arm components, MediaTek components, Qualcomm components, and Qualcomm closed-source components.

The critical vulnerabilities have been resolved, addressing Remote Code Execution (RCE) and Elevation of Privilege (EoP) issues, while other high-severity vulnerabilities have been patched to mitigate risks associated with Remote Code Execution (RCE), Elevation of Privilege (EoP), Information Disclosure (ID), and Denial of Service (DoS) attacks.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Apple Security Update Fixes Zero Day Vulnerabilities Under Exploitation

Apple has released emergency security updates to address two iOS zero-day vulnerabilities, respectively tracked as CVE-2024-23225 and CVE-2024-23296, that were exploited in attacks against iPhone devices. Both vulnerabilities are memory corruption vulnerabilities as a result of insufficient validation from the kernel.

CVE-2024-23296 has a CVSS score of 9.8. It can be invoked from a network, has low complexity, requires no user interaction, and grants elevated privileges on the affected device. The vulnerability is fixed in iOS 17.4 and iPadOS 17.4.

CVE-2024-23225 has a CVSS score of 8.4. It can be invoked locally, has low complexity, requires no user interaction, and grants elevated privileges on the affected device. The vulnerability is fixed in iOS 16.7.6 and iPadOS 16.7.6, as well as iOS 17.4 and iPadOS 17.4.

RECOMMENDATIONS

Ensure all systems are patched and updated.

VMware Patches Address Fix Four Critical Vulnerabilities

VMware has rolled out patches to mitigate critical vulnerabilities discovered in multiple products impacted by use-after-free, out-of-bounds write, and information disclosure vulnerabilities.

Impacted Products:

VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Cloud Foundation (Cloud Foundation)

A malicious actor with local administrative privileges on a virtual machine can exploit these issues to execute code as the virtual machine’s VMX process running on the host. The actor can also trigger an out-of-bounds write leading to an escape from the sandbox or attempt to leak memory from the VMX process.

RECOMMENDATIONS