Top Middle East Cyber Threats – 9 Nov 2020
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
North Korean Advanced Persistent Threat Focus: Kimsuky
US-Cert shared an advisory that describes the tactics, techniques, and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky—against worldwide targets—to gain intelligence on various topics of interest to the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.
Kimsuky uses various spear phishing and social engineering methods to obtain initial access to victim networks. The other methods for obtaining initial access include login-security-alert-themed phishing emails, watering hole attacks, distributing malware through torrent sharing sites, and directing victims to install malicious browser extensions.
Kimsuky uses BabyShark malware and PowerShell or the Windows Command Shell for Execution.
After analyzing the report we found some IoCs (Indicators of Compromise) that could be related to Dubai, indicating that the United Arab Emirates might have been targeted as well.
Recommendations
- Ensure all systems are patched and updated.
- Avoid clicking or opening untrusted or unknown links, files, or attachments.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that email server is configured to block any suspicious attachments.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviors and shared IoCs.
- Educate employees about detecting and reporting phishing/suspicious emails.
WordPress Patches Multiple Vulnerabilities
WordPress released a 5.5.2 update to patch 10 security bugs including a vulnerability that could allow an unauthenticated attacker to execute remote code on systems hosting the vulnerable website. Affected WordPress versions include 5.5.1 and earlier.
WordPress also fixed other vulnerabilities such as cross-site scripting flaw, improper access control bug and a cross-site request forgery vulnerability – can each be exploited by a non-authenticated user via the internet. Out of these vulnerabilities, the cross-site scripting flaw is potentially the most dangerous. A successful attack lets a remote attacker steal sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Recommendations
- Ensure all WordPress websites are patched and updated. Latest WordPress version can be downloaded from WordPress.org, or you can update from your Dashboard, navigate to Updates and click on Update Now. Please refer to the following link for further details: https://wordpress.org/support/article/updating-wordpress/
Windows kernel zero-day exploited in the wild
Security researchers have disclosed a zero-day EoP (Elevation of Privileges) vulnerability in the Windows operating system that is currently under active exploitation.
Windows zero-day (tracked as CVE-2020-17087) was used as part of a two-punch attack, together with another Chrome zero-day (tracked as CVE-2020-15999) that was fixed in October.
The Chrome zero-day was used to allow attackers to run malicious code inside Chrome, while the Windows zero-day was the second part of this attack, allowing threat actors to escape Chrome’s secure container and run code on the underlying operating system.
The zero-day is expected to be patched on November 10, which is the date of Microsoft’s next Patch Tuesday.
Recommendations
- Keep your Chromium based browsers up to date (Such as: Google Chrome, Microsoft Edge and Opera).
- Ensure to patch and update your windows systems regularly.
- Enable software restriction policies and application whitelisting.
- Monitor your network for abnormal behaviors and unauthenticated privileged access.
- Log Windows, proxy, firewall, AV, and DNS queries to aid in incident response if necessary.
Oracle WebLogic RCE Flaw Update
Oracle issued an out-of-band security update to address a critical remote code execution (RCE) vulnerability, tracked as CVE-2020-14750, which affects several versions of Oracle WebLogic Server.
The advisory states that this vulnerability is related to the CVE-2020-14882 flaw that was addressed in the October 2020 Critical Patch Update.
The vulnerability could be exploited by unauthenticated attackers via HTTP without user interaction.
Companies that run WebLogic servers are now advised to install the additional CVE-2020-14750 patch to protect from both the original CVE-2020-14882 exploit and its bypass.
Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
Recommendations
- Ensure all systems are patched and updated. Kindly refer to the following link for further details: https://www.oracle.com/security-alerts/alert-cve-2020-14750.html
Google patches second Chrome zero-day
Google has released a security update recently for its Chrome web browser that patches ten security bugs, including one zero-day vulnerability identified as CVE-2020-16009 that is currently actively exploited in the wild.
This is the second Chrome zero-day that Google found exploited in the wild in the past two weeks.
On October 20, Google also released a security update for Chrome to patch the first 0-day vulnerability CVE-2020-15999 that was utilized together with a Windows zero-day (CVE-2020-17087).
The Chrome zero-day was used to execute malicious code inside Chrome, while the Windows zero-day was used to elevate the code’s privileges and attack the underlying Windows OS.
Recommendations
- Ensure all systems are patched and updated. It is advised to update your Chrome browser to version 86.0.4240.183 or later.
- Ensure all other Chromium based Browsers such as (Microsoft Edge and Opera) are up to date.
UNC1945 Exploiting Oracle Solaris Zero-Day
Threat actor “UNC1945 Group” is using a zero-day vulnerability in the Oracle Solaris operating system (CVE-2020-14871) as part of its intrusions into corporate networks.
Regular targets of UNC1945 attacks included the likes of telecommunications, financial, and consulting companies.
The zero-day is a vulnerability in the Solaris Pluggable Authentication Module (PAM) that allowed UNC1945 to bypass authentication procedures and install a backdoor named SLAPSTICK on internet-exposed Solaris servers. The hackers then used this backdoor as an entry point to launch reconnaissance operations inside corporate networks and move laterally to other systems.
| ATT&CK Tactic Category | Techniques |
| Initial Access |
T1133 External Remote Services T1190 Exploit Public-Facing Application |
| Execution |
T1059 Command and Scripting Interpreter T1059.001 PowerShell T1064 Scripting |
| Persistence | T1133 External Remote Services |
| Lateral Movement |
T1021.001 Remote Desktop Protocol T1021.004 SSH |
| Defense Evasion |
T1027 Obfuscated Files or Information T1070.004 File Deletion T1070.006 Timestomp T1064 Scripting T1553.002 Code Signing |
| Discovery |
T1046 Network Service Scanning T1082 System Information Discovery T1518.001 Security Software Discovery |
| Lateral Movement |
T1021.001 Remote Desktop Protocol T1021.004 SSH |
| Command and Control |
T1071 Application Layer Protocol T1090 Proxy T1105 Ingress Tool Transfer T1132.001 Standard Encoding |
Recommendations
- Ensure all systems are patched and updated. It is advised to keep all your Oracle systems up to date:
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/alert-cve-2020-14750.html
- Enable software restriction policies and application whitelisting.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviors and shared IoCs.
- Block incoming and outgoing traffic from the malicious IPs list.
VMware Issues Updated Fix for Critical ESXi Flaw (CVE-2020-3992)
VMware issued an updated fix for a critical-severity remote code execution flaw in its ESXi hypervisor products (CVE-2020-3992).
VMware advisory on November 4 said updated patch versions were available after it was discovered that the previous patch, released on October 20, did not completely address the vulnerability. That is because certain versions that were affected were not previously covered in the earlier update.
A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a remote code execution. The flaw (CVE-2020-3992) has a CVSS score of 9.8 out of 10, with a critical severity level.
While ESXi users can update to fixed versions ESXi70U1a-17119627 (for version 7), ESXi670-202011301-SG (for version 6.7) and ESXi650-202011401-SG (for version 6.5), a patch is still pending for affected VMware Cloud Foundation versions.
Recommendations
- Update and patch your systems to the latest version. Kindly refer to the following link for further details: https://www.vmware.com/security/advisories/VMSA-2020-0023.html
Cisco AnyConnect zero-day
Cisco has disclosed today a zero-day vulnerability in the Cisco AnyConnect Secure Mobility Client software with proof-of-concept exploit code publicly available.
While security updates are not yet available for this arbitrary code execution vulnerability, Cisco is working on addressing the zero-day, with a fix coming in a future AnyConnect client release.
The high severity vulnerability tracked as CVE-2020-3556 exists in the interprocess communication (IPC) channel of Cisco AnyConnect Client and it may allow authenticated and local attackers to execute malicious scripts via a targeted user.
It affects all AnyConnect client versions for Windows, Linux, and macOS with vulnerable configurations. However, mobile iOS and Android clients are not impacted by this vulnerability.
A vulnerable configuration requires both the Auto Update setting and Enable Scripting setting to be enabled. Auto Update is enabled by default, and Enable Scripting is disabled by default.
Cisco also patched other 11 High and 23 Medium vulnerabilities in their advisory for November 5.
Recommendations
- Update and patch your systems to the latest version, kindly refer to the following link for further details.
- For AnyConnect Vulnerability ( CVE-2020-3556 ), apply the mitigation configurations to disable the auto update feature or the Enable Scripting configuration setting. For more details kindly refer to the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK
References
- https://us-cert.cisa.gov/ncas/alerts/aa20-301a
- https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/intenance-release/
- https://www.theregister.com/2020/10/30/windows_kernel_zeroday/
- https://www.oracle.com/security-alerts/alert-cve-2020-14750.html
- https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html
- https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html
- https://www.vmware.com/security/advisories/VMSA-2020-0023.html
- Cisco Advisory
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK
