Threat advisories

Top Middle East Cyber Threats – May 14, 2024 

May-2024 6 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead.

Ransomware Threat Actors Target Internet-Exposed Microsoft SQL ServersTop of Form

Researchers have uncovered a series of sophisticated cyberattacks targeting poorly managed Microsoft SQL (MS-SQL) servers. Deployed ransomware variants include Mallox and BlueSky.

For initial access, attackers attempt to brute force the SA account. Once successful, they deploy the Remcos Remote Access Tool (RAT), Remote Screen Control Malware, or AnyDesk to take control of the infected system. Subsequently, the ransomware is deployed thereafter.

Targeting MS SQL servers exposed to the internet has been on the rise for the past two years.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Limit access to MS SQL servers based on needed IP addresses, don’t expose it to internet.
Use complex unique passwords.
Implement Multi-Factor Authentication (MFA).
Limit access to SA accounts.
Disable xp_cmdshell stored procedure on MS SQL servers.
Monitor your network for abnormal behaviours and IoCs.
Ensure frequent backups are in place.
Use application control on servers on whitelist mode to allow only approved software.

Apple Security Update Fixes Multiple Vulnerabilities

Apple has issued a security update to address various vulnerabilities across multiple Apple products. Updates have been made available for the following operating systems: iOS 17.5, iPadOS 17.5, iOS 16.7.8, iPadOS 16.7.8, macOS Sonoma 14.5, macOS Ventura 13.6.7, and macOS Monterey 12.7.5.

The vulnerabilities addressed in this update include, but are not limited to, arbitrary code execution, kernel memory disclosure, leakage of sensitive information, unauthorized access to protected data, and bypassing of security features.

The most severe vulnerability is a zero-day in macOS Ventura. The security issue is tracked as CVE-2024-23296, and it allows an attacker with arbitrary kernel read and write capabilities to bypass kernel memory protections. Apple is aware of a report indicating that this issue may have been exploited.

To mitigate these vulnerabilities, Apple has implemented enhanced input validation, improved checks, and memory state validation on affected devices.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Install updates immediately to ensure system remains secure.

Google Chrome Fixes a Zero-Day Vulnerability

Google has released a security update to address a zero-day vulnerability in the Chrome browser. The latest version (124.0.6367.201/.202 for Mac and Windows, and 124.0.6367.201 for Linux) now resolves this issue.

The update includes a security fix for a high-severity zero-day, tracked under CVE-2024-4671, described as a ‘Use after free’ in visuals.

Google acknowledges the existence of an exploit for CVE-2024-4671 in the wild.

RECOMMENDATIONS

Ensure all systems are patched and updated.

F5 Addresses Critical Vulnerabilities in BIG-IP Systems

Multiple vulnerabilities have been identified in F5 Products (BIG-IP and BIG-IP Next Central Manager). A remote attacker could exploit some of these vulnerabilities to trigger denial of service conditions, remote code execution, and bypass security restrictions on the targeted system. Out of the four CVEs reported, three were classified as high severity and one as medium.

CVE-2024-32049: This vulnerability may allow an unauthenticated attacker in a man-in-the-middle (MITM) position between a BIG-IP Next LTM/WAF instance and BIG-IP Next Central Manager to decrypt and modify SSL communication between BIG-IP Next Central Manager and the BIG-IP Next LTM/WAF instance.

CVE-2024-21793: An unauthenticated attacker can exploit this vulnerability to execute malicious SQL statements through the BIG-IP Next Central Manager API (URI).

CVE-2024-26026: An unauthenticated attacker can exploit this vulnerability to execute malicious SQL statements through the BIG-IP Next Central Manager API (URI).

CVE-2024-27983: An attacker can render the Node.js HTTP/2 server completely unavailable by sending a small number of HTTP/2 frame packets containing a few HTTP/2 frames. This vulnerability allows for the possibility of leaving some data in nghttp2 memory after a reset occurs when headers with HTTP/2 CONTINUATION frames are sent to the server. Subsequently, if a TCP connection is abruptly closed by the client, it triggers the Http2Session destructor while header frames are still being processed and stored in memory, resulting in a race condition. As of now, no patch is available for CVE-2024-27983 for the affected products.

RECOMMENDATIONS

Ensure all systems are patched and updated and apply mitigation steps for CVE-2024-27983.

Citrix Hypervisor Releases Security Update for CVE-2024-31497

CVE-2024-31497 has been identified in versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR, which included a third-party component, PuTTY. PuTTY is used to enable SSH connections from XenCenter to guest VMs when the ‘Open SSH Console’ button is selected. The inclusion of PuTTY with XenCenter for Citrix Hypervisor 8.2 CU1 LTSR was deprecated with version 8.2.6 of XenCenter, and any versions after 8.2.7 will not include PuTTY.

An issue has been reported in versions of PuTTY prior to version 0.81. When used with XenCenter, this issue may in some scenarios allow an attacker who controls a guest VM to determine the SSH private key of a XenCenter administrator that uses a key to authenticate the guest VM via an SSH connection.

Citrix advises customers who do not wish to use the “Open SSH Console” functionality to remove the PuTTY component completely. For those who wish to continue using PuTTY, it’s recommended to replace the installed version on their XenCenter system with an updated one, preferably version 0.81 or newer.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Vulnerability in Netscaler ADC and Gateway Leads to Out-of-Bounds Memory Read

A recently discovered vulnerability in Citrix NetScaler ADC and Gateway appliances allows remote, unauthenticated attackers to potentially access sensitive information from the memory of affected systems. Identified by security researchers at Bishop Fox, the vulnerability shares notable similarities with the previously disclosed CitrixBleed (CVE-2023-4966) but is considered less severe.

The vulnerability specifically affects NetScaler appliances configured as Gateway or AAA virtual servers. Attackers could exploit this flaw via a commonly used web interface to perform an out-of-bounds memory read. While most attempts do not yield valuable data, there have been instances where HTTP POST request bodies containing potentially sensitive information, such as credentials or cookies, were leaked.

This vulnerability exposes the potential for attackers to occasionally capture sensitive data from the process memory of affected appliances. While the likelihood of retrieving high-value information is lower, the possibility of accessing sensitive data remains. Citrix has already addressed the issue in a subsequent software update (NetScaler version 13.1-51.15) prior to its disclosure by Bishop Fox.

RECOMMENDATIONS