Threat advisories

Top Middle East Cyber Threats – May 23 2023

May-2023 9 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.  

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:   

Microsoft Releases Update to Address Multiple Vulnerabilities

Microsoft has fixed 38 vulnerabilities in May 2023, addressing CVEs in Microsoft Windows and Windows Components, Office and Office Components, Microsoft Edge (Chromium-based), SharePoint Server, Visual Studio, SysInternals, and Microsoft Teams. This is in addition to 11 Edge (Chromium-based) CVEs that have already been released and are currently being documented.

Out of the 49 patches released, 6 were rated as Critical while 32 were rated as Important.

Two of the CVEs were actively being exploited:

CVE-2023-29336 – Win32k Elevation of Privilege Vulnerability

CVE-2023-24932 – Secure Boot Security Feature Bypass Vulnerability, this CVE has also been Publicly disclosed.

Another CVE has been publicly disclosed – CVE-2023-29325 – Windows OLE Remote Code Execution Vulnerability

RECOMMENDATIONS

Ensure all systems are patched and updated.

Google Chrome Releases Update to Address Multiple Vulnerabilities 

Google has published a security update to address multiple vulnerabilities in Chrome browser that are now fixed in Chrome’s latest version (113.0.5672.126 for Mac and Linux and 113.0.5672.126/.127 for Windows).

The update includes 12 security fixes, 6 of them were contributed by external researchers. Out of the 6 contributed fixes, one was assigned as critical, three as high and one as medium in risk level.

The most severe vulnerability reported was CVE-2023-2721 with Critical risk level and described as Use after free in Navigation.

RECOMMENDATIONS

Ensure all systems are patched and updated.

OilAlpha Conducts Espionage Activities via Spoofed Apps and RATs

A campaign carried out by a threat actor named OilAlpha, primarily focusing on conducting espionage activities, has targeted entities associated with the non-governmental, media, international humanitarian, and development sectors.

OilAlpha used encrypted chat messengers like WhatsApp to launch social engineering attacks against its targets including Arabic-language speakers and Android devices by distributing APK based remote access trojans (RATs) like SpyNote and SpyMax.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files, or attachments.
Enable software restriction policies and application whitelisting.
Ensure your email server is configured to block any suspicious attached files.
Monitor your network for abnormal behaviours and shared IoCs.
Educate employees about detecting and reporting phishing and suspicious emails.

DUCKTAIL Exploits Social Media for Financial Gain

DUCKTAIL is a financially motivated malware variant, specifically targeting individuals and businesses utilizing a social media business/ads platform. The malware is created by threat actors (TAs) originating from Vietnam. TAs have been actively involved in developing and distributing malware associated with the DUCKTAIL operation.

The malware is specifically designed to extract browser cookies and take advantage of social media sessions to steal sensitive information from the victim’s Social Media account. Ultimately, the malware operation aims to gain control of social media business accounts with adequate access privileges. TAs then use their acquired access to conduct advertisements for their financial gain.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files, or attachments.
Don’t allow Macros for unknow MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure your email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing and suspicious emails.

UNC3944 Group Exploits SIM Swaps and Azure Console in BYOVD Attacks

A financially motivated cyber actor has been observed abusing Microsoft Azure Serial Console on virtual machines (VMs) to install third-party remote management tools within compromised environments. Researchers have attributed the activity to a threat group under the name of UNC3944, also referred to as Roasted 0ktapus and Scattered Spider.

The adversary is known to leverage SIM swapping attacks to breach telecommunications and business process outsourcing (BPO) companies. Subsequently, it has been observed utilizing a loader named STONESTOP to install a malicious signed driver dubbed POORTRY that’s designed to terminate processes associated with security software and delete files as part of a BYOVD attack.

It’s currently not known how the threat actor conducts the SIM swaps, although the initial access methodology is suspected to involve the use of SMS phishing messages targeting privileged users to obtain their credentials and then staging a SIM swap to receive the two-factor authentication (2FA) token to a SIM card under their control.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files, or attachments.
Don’t allow Macros for unknow MSOffice files.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious attached files.
Enforce the Restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviours and shared IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing and suspicious emails.

Apple Fixes Actively Exploited Zero-Days in iPhones, Macs, and iPads

Apple has addressed three new actively exploited zero-day vulnerabilities targeting multiple products including iPhones, Macs, and iPads.

All security bugs were found in the multi-platform WebKit browser engine and are tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.

The first vulnerability is a sandbox escape that enables remote attackers to break out of Web Content sandboxes.

The other two are an out-of-bounds read that can help attackers gain access to sensitive information and a use-after-free issue that allow achieving arbitrary code execution on compromised devices, both after tricking the targets into loading maliciously crafted web pages.

The list of impacted devices includes:

iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), iPod touch (7th generation), and iPhone 8 and later
iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Macs running macOS Big Sur, Monterey, and Ventura
Apple Watch Series 4 and later
Apple TV 4K (all models) and Apple TV HD

Apple addressed the three zero-days in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 with improved bounds checks, input validation, and memory management.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Google Registry Introduces TLDs, Amplifying Phishing and Malware Risks

A recent update by Google Registry, introducing eight new top-level domains (TLDs) including .zip and .mov, brings forth potential risks in the cybersecurity landscape that demand immediate attention.

These TLDs are primarily designed for legitimate purposes, such as facilitating file-sharing and media-hosting. However, like any internet resource, they can be exploited for malicious purposes by cybercriminals.

Potential Threats

Phishing Attacks: Malicious actors may use .zip and .mov TLDs to create websites that look like legitimate websites to trick you into providing your personal or company credentials.

Malware Distribution: The .zip and .mov TLDs could be used to host and distribute harmful malware, spyware, or ransomware. They can disguise these threats in what appears to be a harmless file, but once downloaded, it can compromise your system.

Misleading Downloads: Cybercriminals could use these TLDs to trick users into downloading fake software or files, which could harm your system or steal your data.

RECOMMENDATIONS

Be cautious about clicking on any link with a .zip or .mov TLD, especially if it comes from an unverified or unknown source.
Verify the source and double-check the URL before downloading a file or providing any personal or company information.
Use official websites and channels for downloading any software or file.
Report suspicious activity.
Make sure your antivirus software is updated regularly and set to automatically scan any downloaded files.

Critical Flaw in Elementor Exposes WordPress Websites to Attacks

More than one million WordPress websites were vulnerable due to a flaw in Elementor plugins, “Essential Addons for Elementor,” that was found to be vulnerable to an unauthenticated privilege escalation and could allow remote attacks to gain administrator rights on the site.

The flaw was tracked as CVE-2023-32243 and is an unauthenticated privilege escalation vulnerability on the plugin’s password reset functionality, impacting versions 5.4.0 to 5.7.1.

By exploiting the flaw, it is possible to reset the password of any user as long as the username is known. It occurs as the password reset function changes the password of the given user without validating the password reset key.

The fix was released for the plugin in version 5.7.2 and all plugin users should upgrade to the latest version as soon as possible.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Anonymous Sudan and Affiliates Expand Cyberattacks Across Multiple UAE Sectors

Help AG Cyber Threat Intelligence Team continues its vigilance as Anonymous Sudan and its affiliated groups, including newly identified adversaries TEAM HEROX and Mysterious Team Bangladesh, persist their activity in the UAE region.

Their continued cyber-attacks have progressively targeted diverse sectors including financial, education, energy and utilities and newly included health sector. Anonymous Sudan has also widened its scope to encompass Government domains and a new sector – transportation.

In addition to this, other groups have been observed contributing to the ongoing DDoS attacks, these include Saudi dissidents and Vietnamese adversaries, with a new hashtag #TangoDown coming into play. Four new UAE organizations in the government sector have been identified as targets.

It is recommended to remain vigilant for any anomalies in network traffic spikes, exploit attempts on public-facing assets, or unauthorized logins as these could potentially signal a cyber-attack. It is crucial to keep initially shared Indicators of Compromise (IOCs) updated on controls to handle such incidents effectively.

RECOMMENDATIONS

Ensure having sufficient bandwidth in your organization and ensure redundancy by spreading traffic using load balancers.
Configure your network hardware against DDoS attacks by filter unwanted ports and protocols.
Deploy a DDoS protection solution to protect your servers from both network and applications layer DDoS attacks.
Have a response plan: Having a plan in place for responding to DDoS attacks can help you quickly and effectively respond to the attack and minimize its impact.
Ensure all systems are patched and updated.
Avoid clicking or opening untrusted or unknown links, files, or attachments.
Enable software restriction policies and application whitelisting.
Enforce the Restricted PowerShell script execution policy.
Monitor your network for abnormal behaviour and shared IoCs.
Ensure frequent backups are in place.