Top Middle East Cyber Threats – May 9 2023
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
SLP Vulnerability Unleashes Massive Amplification Attacks on Global Scale
Details have emerged regarding a high-severity security vulnerability impacting the Service Location Protocol (SLP) that could be weaponized to launch volumetric denial-of-service attacks against targets. SLP is a service discovery protocol enabling computers and other devices to locate serviceswithin a local area network, such as printers, file servers, and other network resources.
According to researchers, attackers exploiting this vulnerability could harness vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2200 times, potentially making it one of the largest amplification attacks ever reported.
The vulnerability, which has been assigned the identifier CVE-2023-29552 (CVSS score: 8.6), is said to impact over 2,000 global organizations and more than 54,000 SLP instances that are accessible via the internet.Affected instances include VMWare ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), SMC IPMI, and 665 other product types.
Successful exploitation of CVE-2023-29552 could allow an attacker to take advantage of susceptible SLP instances, launch a reflection amplification attack and overwhelm a target server with legitimate traffic. To do so, all an attacker needs to do is locate an SLP server on UDP port 427 and register “services until SLP denies more entries,” followed by repeatedly spoofing a request to that service with the victim’s IP as the source address.
RECOMMENDATIONS
- Use a DDoS protection service to filter out malicious traffic and prevent DDoS attacks from affecting your website or network.
- Ensure all systems are patched and updated.
- Make sure that the SLP protocol is not directly exposed to the public internet and consider blocking UDP port 427.
- Monitor your network for unusual or excessive traffic, to help you identify a DDoS attack early and take action to mitigate its effects.
- Have a response plan in place: Having a plan in place for responding to DDoS attacks can help you quickly and effectively respond to the attack and minimize its impact.
Charming Kitten Strikes with BellaCiao Malware
The prolific Iranian nation-state group, Charming Kitten (also known as APT35/APT42, Mint Sandstorm/PHOSPHORUS, ITG18, UNC788, Yellow Garuda or TA453), has targeted multiple victims across the U.S., Europe, the Middle, and India with a novel malware dubbed BellaCiao, adding to its ever-expanding list of custom tools.
BellaCiao is a new dropper used by the threat actor, capable of delivering additional malware payloads onto a victim’s machine based on commands received from an actor-controlled server.
The exact initial infection vector is currently clear. However, it is suspected to exploit known vulnerabilities such as those found in the Microsoft Exchange exploit chain (including ProxyShell/ProxyNotShell/OWASSRF) or similar software vulnerabilities such as Apache Log4j (CVE-2021-44228), VMware OpenSLP (CVE-2021-21974), and the recent Unauthorized RCE Vulnerability in MSMQ Service (CVE-2023-21554).
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files, or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that your email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviours and shared IoCs.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing and suspicious emails.
Google Chrome Releases Update to Address Multiple Vulnerabilities
Google has published a security update to address multiple vulnerabilities in Chrome browser that are fixed in Chrome’s latest version 113.0.5672.63/.64 (Windows), 113.0.5672.63 (Linux and Mac).
The update includes 15 security fixes,10 of which were contributed by external researchers. Out of these ten, seven are assigned as Medium and three as Low in severity level.
RECOMMENDATIONS
- Ensure that all systems are patched and updated.
APT41 Subgroup Earth Longzhi Unleashes Novel Security Product Disabling Method
Earth Longzhi, a subgroup of APT41 has been observed using a new technique to disable security products for the first time in the wild. The attackers exploited Windows Defender to achieve DLL sideloading, while also utilizing a vulnerable driver through a bring-your-own-vulnerable-driver (BYOVD) attack, introducing a new technique of stack overflow called stack rumbling.
The initial vector involved exploiting public-facing applications, and planting well-known Behinder web shell, which supports backdoor functionalities such as file operations, remote command execution, interactive shell, and Socks5 proxy.
Windows Defender was leveraged to load Croxloader and SPHijacker malware. SPHijacker, a new tool designed to disable security products, employs the vulnerable driver zamguard.sys and alters the Image File Execution Options (IFEO) related registry keys. This modification causes antivirus-related processes to crash due to stack overflows.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files, or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that your email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviors and shared IoCs.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
Anonymous Sudan Launches Devastating DDoS Attacks Against Vital Sectors
Help AG Cyber Threat Intelligence Team is aware about a large-scale DDoS campaign targeting multiple countries, including the UAE, carried out by the Anonymous Sudan group. This group of attackers has already managed to bring down several websites.
Identifying themselves as “hacktivists”, these politically motivated hackers originate from Sudan and have launched attacks against a wide range of sectors, including government, education, banks, airports, healthcare, media, telecommunications, etc.
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the regular flow of traffic to a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. DDoS attacks achieve effectiveness by harnessing multiple compromised computer systems to generate attack traffic. Exploited machines can include computers as well as other networked resources, such as IoT devices.
RECOMMENDATIONS
- Ensure that your organization has sufficient and maintain redundancy by distributing traffic using load balancers.
- Defend against DDoS attacks by configuring your network hardware to filter unnecessary ports and protocols. Deploy DDoS protection solutions to protect your servers from both network and applications layer DDoS attacks.
References:
https://blog.cloudflare.com/slp-new-ddos-amplification-vector/
https://www.vmware.com/security/advisories/VMSA-2021-0002.html
https://kb.vmware.com/s/article/76372
https://businessinsights.bitdefender.com/unpacking-bellaciao-a-closer-look-at-irans-latest-malware
https://chromereleases.googleblog.com/2023/05/stable-channel-update-for-desktop.html
https://threatmon.io/anonymous-sudan-in-depth-analysis-beyond-hacktivist-attacks/
