At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
Microsoft Releases Patches for Critical and High-Severity Vulnerabilities
Microsoft has released 3 security fixes with 1 critical and 2 High severities:
[Critical] CVE-2025-59503 – Azure Compute Resource Provider:
A server-side request forgery (SSRF) vulnerability in Azure Compute Gallery allows an authorized attacker to elevate privileges over a network.
[High] CVE-2025-59273 – Azure Event Grid System:
Improper access control in Azure Event Grid allows an unauthorized attacker to elevate privileges over a network.
[High] CVE-2025-59500 – Azure Notification Service:
Improper access control in Azure Notification Service allows an authorized attacker to elevate privileges over a network.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Help AG CTI Identifies Rising Hacktivist Activity Targeting Regional Entities
Help AG’s Cyber Threat Intelligence (CTI) team has observed a notable increase in politically-motivated Distributed Denial of Service (DDoS) attacks targeting UAE-based organizations.
Two hacktivist groups—DieNet and Red Wolf—have publicly taken credit for recent attacks on UAE entities, including those in the banking and government sectors. They have used hashtags like #OperationDownfall and #RedEyeOfPalestine to promote these campaigns.
Public telemetry and vendor reports indicate that regional hacktivist groups have conducted large, multi-wave DDoS campaigns across the region during 2024–2025.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Engage ISPs or scrubbing providers to mitigate DDoS traffic.
- Enable rate limiting, geo-IP filtering, and traffic throttling.
- Deploy and fine-tune Web Application Firewalls (WAFs).
- Enhance traffic monitoring and anomaly detection capabilities.
- Update and rehearse DDoS incident response playbooks.
- Establish redundancy and failover mechanisms for critical services.
- Review and test disaster recovery and business continuity plans.
ToolShell Leads to Compromise of Multiple Government and Education Systems
Researchers reported that a state-sponsored threat group exploited the ToolShell vulnerability (CVE-2025-53770) shortly after its public disclosure in July 2025 to breach a telecommunications company. The same actors also compromised two government departments, deploying the Zingdoor backdoor — previously associated with the threat group Glowworm (also known as Earth Estries or FamousSparrow).
The campaign further utilized KrustyLoader, a tool linked to the UNC5221 group, to expand its reach. The attackers further expanded their operations to additional government agencies and an educational institution, exploiting vulnerabilities in SQL Server and Apache HTTP Server running Adobe ColdFusion.
RECOMMENDATIONS
- Apply the principle of least privilege to minimize access to sensitive systems and data.
- Enforce Multi-Factor Authentication (MFA) for all accounts, especially administrative ones.
- Regularly patch and update internet-facing systems to mitigate vulnerability exploits.
- Conduct awareness programs to educate users about phishing attacks and social engineering tactics.
- Monitor your network for abnormal behaviors and Indicator of Compromise (IoCs)
Unmasking MuddyWater’s New Malware Toolkit Driving International Espionage
Researchers have observed MuddyWater, a known Advanced Persistent Threat (APT) group, executing a phishing campaign originating from emails sent through a compromised account accessed via NordVPN. These emails contained malicious Word attachments prompting recipients to enable macros, which in turn executed embedded Visual Basic for Applications ( VBA) code that deployed a FakeUpdate loader.
This loader then decrypted an Advanced Encryption Standard (AES) -encrypted second-stage payload — identified as Phoenix Backdoor v4 — and wrote it to disk under the name sysProcUpdate. Once executed, Phoenix established persistent communication with the attackers’ C2 servers, enabling remote control, data collection, and further exploitation across multiple global targets.
RECOMMENDATIONS
- Apply the principle of least privilege to minimize access to sensitive systems and data.
- Enforce MFA for all accounts, especially administrative ones.
- Regularly patch and update internet-facing systems to mitigate vulnerability exploits.
- Conduct awareness programs to educate users about phishing attacks and social engineering tactics.
- Monitor your network for abnormal behaviors and IOCs
References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59503
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59273
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59500
https://www.security.com/threat-intelligence/toolshell-china-zingdoor
