Top Middle East Cyber Threats – November 21, 2023
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead.
Hacktivist Groups Target the UAE in Coordinated DDoS Attacks
There has been a significant increase in cyber attacks targeting various sectors in the United Arab Emirates (UAE), particularly in education, government, and health sectors. These attacks are part of the #OPUAE campaign, coordinated by multiple attack groups. There’s a concern that these operations might escalate, potentially culminating in a major cyber assault during the upcoming COP28 event.
In a related development, Microsoft’s fourth annual Digital Defense Report has linked a threat actor, identified as Storm-1133, to a series of cyber-attacks against private organizations. These attacks, observed first in early 2023, have primarily targeted private-sector entities in the energy, defense, and telecommunications industries. Most of these attacks were Distributed Denial-of-Service (DDoS) attacks, and some also targeted critical infrastructure.
The report by The Cyber Express indicates that over 35 hacking groups have been involved in these attacks against various targets. These groups, which include KILLNET and the Anonymous Sudan remain largely unverified in terms of their exact numbers and identities. These groups have a history of launching DDoS campaigns against multiple organizations and countries, including the United Arab Emirates.
RECOMMENDATIONS
- Ensure having sufficient bandwidth in your organization and ensure redundancy by spreading traffic using load balancers.
- Configure your network hardware against DDoS attacks by filtering unwanted ports and protocols.
- Deploy DDoS protection solutions to protect your servers from both network and application layer DDoS attacks.
- Have a response plan in place: This can help you quickly and effectively respond to the attack and minimize its impact.
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files, or attachments.
- Enable software restriction policies and application whitelisting.
- Enforce the Restricted PowerShell script execution policy.
- Monitor your network for abnormal behaviours.
- Ensure frequent backups are in place.
Splunk Update Fixes Multiple Vulnerabilities
Splunk has published a security update to address two vulnerabilities in Splunk Enterprise versions below 9.0.7 and 9.1.2 in addition to multiple other CVEs in third-party packages used by Splunk Enterprise and Splunk Universal Forwarder.
Additionally, 2 critical vulnerabilities were addressed in the Google cloud platform and Amazon web services Splunk Add-ons.
RECOMMENDATION
- Ensure all systems are patched and updated.
FortiGuard Labs Security Update Addresses Multiple Vulnerabilities
FortiGuard Labs has released security advisory for the month of November that has fixed a total of 21 Vulnerabilities in multiple products. In that, 2 Critical, 7 High, 11 Medium, and 1 Low severity vulnerabilities have been fixed.
Below are the details of critical and high vulnerabilities affecting on mentioned products and their vulnerability descriptions –
CVE-2023-36553 – FortiSIEM – OS command injection in Report Server
CVE-2023-34991 – FortiWLM – Unauthenticated SQL Injection Vulnerability
CVE-2023-44252 – FortiWAN – Guessable static JSON web token secret
CVE-2023-38545 – curl and libcurl CVE-2023-38545 and CVE-2023-38546 vulnerabilities
CVE-2023-44251 – FortiWAN – Path traversal vulnerability
CVE-2023-26205 – FortiADC – Privilege escalation vulnerability using the automation cli-script feature.
CVE-2023-41840 – FortiClient (Windows) – DLL Hijacking via openssl.cnf
CVE-2023-42783 – FortiWLM – Unauthenticated arbitrary file read vulnerability.
CVE-2022-40681 – FortiClient (Windows) – Arbitrary file deletion from unprivileged users
RECOMMENDATION
- Ensure all systems are patched and updated.
Lumma Stealer Targets Crypto Wallets and 2FA Extensions
Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since August 2022. Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim’s machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent “TeslaBrowser/5.5″.” The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files, or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that your email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviours.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
TA402 Campaigns Target Middle East Entities
Multiple TA402 activities were revealed recently to be using infection chain to target Middle Eastern governments with a new initial access downloader dubbed IronWind. From July through October 2023, TA402 utilized three variations of this infection chain – Dropbox links, XLL file attachments, and RAR file attachments – with each variant consistently leading to the download of a DLL containing the multifunctional malware. In these campaigns, TA402 also pivoted away from its use of cloud services like Dropbox API to using actor-controlled infrastructure for C2 communication.
TA402 remains a persistent and innovative threat actor that routinely retools its attack methods and malware in support of its cyber espionage mandate. Its ongoing use of geofencing and decoy documents continues to serve its detection evasion efforts. While TA402 is an intelligence collection focused threat actor with a specific interest in Middle Eastern and North African government entities.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files, or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that your email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviours.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
REFERENCES
https://advisory.splunk.com/advisories/SVD-2023-1104
https://advisory.splunk.com/advisories/SVD-2023-1103
https://advisory.splunk.com/advisories/SVD-2023-1102
https://advisory.splunk.com/advisories/SVD-2023-1101
https://fortiguard.fortinet.com/psirt
https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer
