Top Middle East Cyber Threats – May 28, 2024
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead.
Espionage Campaign Targets Government Entities in the Middle East
Palo Alto Networks’ researchers have identified an ongoing campaign called Operation Diplomatic Specter, conducted by unknown threat actors. This campaign targets government entities in the Middle East, Africa, and Asia. The threat actors exploit ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473) vulnerabilities to gain initial access by targeting the organizations’ Exchange servers. Following the successful exploitation of public servers, they deploy an in-memory VBS implant.
As part of their espionage efforts, the group employs a previously undocumented family of backdoors known as TunnelSpecter and SweetSpecter. These backdoors possess the capability to generate rogue users, execute data encryption, and exfiltrate data using DNS tunneling methods. This malware shows similarities to the previously used Ghost RAT malware. The threat actors conduct automated mailbox harvesting and search for highly sensitive information, covering details related to military operations, diplomatic missions, embassies, and foreign affairs ministries. The attackers utilize VPS providers, including Cloudie Limited and Zenlayer, for multiple command-and-control (C2) servers in their operations.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files, or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that your email server is configured to block any suspicious files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviors and IoCs.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
Google Chrome Fixes a Zero Day Vulnerability
Google has published a security update to address a high-level zero-day vulnerability in the Chrome browser. The issue is fixed in the latest Chrome version (125.0.6422.112/.113 for Windows and Mac, and 125.0.6422.112 for Linux).
The zero-day vulnerability is tracked as CVE-2024-5274 and described as a type confusion in the V8 JavaScript engine. Google is aware that an exploit for CVE-2024-5274 exists in the wild.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Cisco Releases Security Update to Fix High Severity Vulnerabilities
Cisco has released security updates to address 8 vulnerabilities, with 3 categorized as high severity and 5 as medium severity. Below are the details of CVEs classified as High severity.
CVE-2024-20360 – A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated remote attacker to execute SQL injection attacks on the affected system.
CVE-2023-20006 – A vulnerability in the hardware-based SSL/TLS cryptography functionality of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 2100 Series Appliances could allow an unauthenticated remote attacker to cause the affected device to reload unexpectedly, leading to a denial of service (DoS) condition.
CVE-2022-20760 – A vulnerability in the DNS inspection handler of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition on the affected device.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
VMware Addresses Critical Vulnerabilities in ESXi, vCenter Server, and More
VMware has addressed three vulnerabilities in VMware ESXi, vCenter Server, VMware Cloud Foundation, VMware Workstation Pro, and VMware Fusion.
All the fixed vulnerabilities are rated as important in severity level and are tracked with the following CVEs: CVE-2024-22273, CVE-2024-22274, CVE-2024-22275.
Out-of-bounds read/write vulnerability (CVE-2024-22273): A malicious actor with access to a virtual machine with enabled storage controllers may exploit this issue to create a denial-of-service condition or execute code on the hypervisor from a virtual machine, potentially in conjunction with other issues.
VMware vCenter Server authenticated remote-code execution vulnerability (CVE-2024-22274): A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to run arbitrary commands on the underlying operating system.
VMware vCenter Server partial file read vulnerability (CVE-2024-22275): A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to partially read arbitrary files containing sensitive data.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Atlassian Releases Security Bulletin for May 2024
Atlassian has released a security bulletin that includes 35 high-severity vulnerabilities and 2 critical-severity vulnerabilities, which have been fixed on Bamboo Data Center and Server, Bitbucket Data Center and Server, Confluence Data Center and Server, Crowd Data Center and Server, Jira Data Center and Server, and Jira Service Management Data Center and Server.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Ivanti Releases Security Advisory for May 2024
Ivanti has released security patches addressing 14 CVEs affecting several products, including Ivanti Avalanche, Ivanti Neurons for ITSM, Ivanti Connect Secure, Ivanti Secure Access, and Ivanti Endpoint Manager (EPM).
The maximum CVSS score observed in this rollout is 9.6, affecting Ivanti Endpoint Manager (EPM). The vulnerability is related to an unspecified SQL injection vulnerability, allowing an unauthenticated attacker within the same network to execute arbitrary code.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Download and upgrade to the latest version of the affected products.
References
https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html
https://unit42.paloaltonetworks.com/operation-diplomatic-specter/
https://sec.cloudapps.cisco.com/security/center/publicationListing.x
https://confluence.atlassian.com/security/security-bulletin-may-21-2024-1387867145.html
https://forums.ivanti.com/s/article/Security-Advisory-May-2024?language=en_US