Top Middle East Cyber Threats – November 01, 2023
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
APT34 Campaign Targets Government in the Middle East
An APT group known as OilRig, MuddyWater, APT34, performed an eight-month-long intrusion against a government in the Middle East between February and September 2023.
PowerShell-based malware was deployed and logged into a compromised Exchange Server with hardcoded credentials and monitored for emails sent by the attackers. Emails that contained “@@” in the subject line were read by PowerExchange – Backdoor and executed arbitrary PowerShell commands sent by the attackers by effectively using Exchange as C2 server.
During the attack, along with PowerExchange Backdoor, three previously undiscovered pieces of malware were also deployed and leveraged by using Mimikatz and Plink tunnelling software.
Recommendations
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that email server is configured to block any suspicious files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviours.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
SolarWinds Fixes Critical Flaws in SolarWinds Access Rights Manager
Researchers on Trend Micro Zero Day Initiative (ZDI) reported eight vulnerabilities affecting SolarWinds ARM products. Fixes were released by SolarWinds in “ARM 2023.2.1 Release Notes”.
The following vulnerabilities are classified as Critical by researchers as they allow remote unauthenticated attackers to execute arbitrary code on affected installations of SolarWinds Access Rights Manager (ARM).
CVE-2023–35182 – exists within thecreateGlobalServerChannelInternal method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.
CVE-2023-35185 – exists within the OpenFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.
CVE-2023-35187- exists within the OpenClientUpdateFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.
Recommendations
- Ensure all systems are patched and updated.
Threat Actor Yellow Liderc Delivers IMAPLoader Malware
Yellow Liderc (a.k.a. Imperial Kitten, Tortoiseshell, TA456, Crimson Sandstorm) performed strategic web compromise by embedding malicious JavaScripts, which has the capability to fingerprint website visitors and capture victim user location, device information, and time of visit. This attack was primarily focused on maritime, shipping, and logistics sectors, with some of the victims being infected with a follow-on malware named IMAPLoader.
The served IMAPLoader from compromised website was DLL written in .NET and acted as a downloader, leveraging email communication for command and control (C2) communication. This is a replacement to a Python-based IMAP implant the actor used in late 2021 and early 2022.
The actors used injection technique known as ‘AppDomain Manager Injection’ where it forces Microsoft .NET application to load a specially crafted .NET assembly that was not previously used by this group.
Recommendations
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that email server is configured to block any suspicious files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviours.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
New Side Channel Attack Affects Safari Browser and Apple CPUs
Academic researchers have demonstrated an exploit that can extract sensitive information from Web browsers, affecting macOS or iOS with Apple’s A-series or M-series CPUs including all recent iPhones and iPads, as well as Apple’s laptops and desktops from 2020 and onwards.
The vulnerability is named as iLeakage, a transient execution side channel, can cause browsers to render an arbitrary webpage, recovering sensitive information present within it using speculative execution.
On macOS, only Safari browser is affected. However, on iOS/iPadOS nearly every browser application listed on the App Store is vulnerable to iLeakage.
Currently, Apple has implemented a mitigation for iLeakage in Safari browser, applicable only on macOS Ventura 13.0 and higher. Furthermore, this mitigation is marked as unstable, and Apple has not yet released any security patches. Also, there is no evidence to indicate whether iLeakage has been misused in the wild.
References:
https://www.zerodayinitiative.com/advisories/ZDI-23-1564/
https://www.zerodayinitiative.com/advisories/ZDI-23-1565/
