Top Middle East Cyber Threats – April 08th, 2025 - Help AG: Next-Gen Cybersecurity Services in the Middle East

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

Water Gamayun Leverages Microsoft MMC Vulnerability to Deploy Malicious Payloads

A threat actor known as Water Gamayun has been linked to Windows zero-day attacks exploiting a Microsoft Management Console (MMC) vulnerability that was patched this month.

The security feature bypass—dubbed ‘MSC EvilTwin’ and now tracked as CVE-2025-26633—resides in how MSC files are handled on vulnerable devices.

Attackers can exploit this vulnerability to evade Windows file reputation protections and execute code without warning the user before loading unexpected MSC files on unpatched systems.

In an email-based attack scenario, an attacker could exploit the vulnerability by sending a specially crafted MSC file to the victim and convincing them to open it. In a web-based scenario, the attacker could host the malicious file on a website—or use a compromised website that accepts or hosts user-provided content—to deliver the payload.

During the campaign, Water Gamayun has deployed several malicious payloads previously associated with its operations, including the EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, Stealc, Rhadamanthys stealer, and a PowerShell-based MSC EvilTwin trojan loader.

RECOMMENDATIONS   

Apply Patch: Immediately apply the patch for CVE-2025-26633 on all Windows systems.

Audit .msc Files: Review any unexpected .msc files located in the en-US subdirectories.

Restrict MMC Execution: Limit the use of Microsoft Management Console (MMC) with internet rendering capabilities or restrict the use of ActiveX components.

Monitor for .msc Execution via MMC: Configure alerts for instances of mmc.exe executing .msc files from MUI directories.

Block relevant/concerned Indicators of Compromise (IoCs) through your security controls.

User Awareness: Educate employees on the risks of opening unsigned .msc, .msi, or other unexpected administrative tools.

Ivanti Addresses Vulnerability in Connect Secure and Related Products

Ivanti has published a security update to address a critical-severity vulnerability affecting the Ivanti Connect Secure (version 22.7R2.5 and earlier), Pulse Connect Secure 9.x (end-of-support as of December 31, 2024), Ivanti Policy Secure and ZTA gateways.

According to Ivanti, the vulnerability has been exploited in the wild, specifically targeting a limited number of customers using Ivanti Connect Secure (version 22.7R2.5 or earlier) and End-of-Support Pulse Connect Secure 9.1x appliances.

The vulnerability, CVE-2025-22457, is a stack-based buffer overflow that allows a remote, unauthenticated attacker to execute arbitrary code on affected systems.

RECOMMENDATIONS

Ensure all systems are fully patched and up to date.

For Connect Secure, upgrade to version 22.7R2.6 (released Feb 2025); contact Ivanti Support for update issues. If the Integrity Checker Tool (ICT) shows signs of compromise, perform a factory reset and re-deploy version 22.7R2.6.

For Policy Secure, a patch will be available April 21. Risk is currently low, as it’s not internet-facing and there are no known exploitations.

For ZTA Gateways, a patch will be auto-applied April 19. These are not exploitable in production; risk exists only for generated gateways not yet connected to a controller. No exploitations reported.

Google Chrome Releases Update to Address Critical Use After Free Vulnerability

Google has published a security update to address multiple vulnerabilities in the Chrome browser. These issues have been fixed in the latest Chrome versions: 135.0.7049.41/42 for Windows and Mac, and 135.0.7049.52 for Linux.

The update includes fourteen security fixes and nine of them were reported by external researchers. Out of the nine reported vulnerabilities, one is rated as high, four as medium, and four as low in severity level.

The most severe vulnerability, CVE-2025-3066, is rated High and described as a Use After Free in Navigations.

Use After Free bugs occur when a program continues to access a memory location after it has been freed or deallocated. This can result in crashes, unpredictable behavior, or serious security risks such as remote code execution or privilege escalation.

RECOMMENDATIONS   

Ensure all systems are patched and updated.

Apple Releases Security Update to Address Vulnerabilities and Zero-Day Exploits

Apple has released a security update to address 152 vulnerabilities across multiple products, including macOS, iPads, and iPhones.

A remote attacker could exploit some of these vulnerabilities to cause a denial-of-service condition, elevate privileges, perform spoofing, execute remote code, disclose sensitive information, bypass security restrictions, or conduct cross-site scripting on targeted systems.

The update also addresses three zero-day vulnerabilities:

CVE-2025-24085: A malicious application may be able to elevate privileges.
Apple is aware of a report that this issue may have been actively exploited in versions of iOS prior to iOS 17.2.

CVE-2025-24200: A physical attack could potentially disable USB Restricted Mode on a locked device. Apple is aware of a report indicating that this vulnerability may have been exploited in a highly sophisticated attack targeting specific individuals.

CVE-2025-24201: Maliciously crafted web content may break out of the Web Content sandbox.
This is a supplementary fix for an attack previously blocked in iOS 17.2. Apple is aware of a report that the issue may have been exploited in highly targeted attacks on devices running versions prior to iOS 17.2.

RECOMMENDATIONS   

Ensure all systems are patched and updated.

GitHub Exploited in Cyber-Espionage Campaign Using SHELBY Malware

Researchers have uncovered a sophisticated cyber-espionage campaign, dubbed REF8685, that leverages a malware family known as SHELBY, which abuses GitHub as its Command-and-Control (C2) infrastructure. The campaign specifically targeted the telecommunications sector in Iraq and the aviation sector in the Middle East through highly targeted phishing emails sent from compromised internal accounts. The phishing lures included ZIP archives containing executables disguised as legitimate tools (e.g., JPerf), which initiated a stealthy execution chain via DLL side-loading to deploy SHELBYLOADER and SHELBYC2.

Victims were deceived using fake email threads that mimicked internal network alerts or cloud service login pages. Notably, the attackers exploited compromised internal email accounts to launch second stage phishing attacks, significantly increasing their effectiveness.

The SHELBY malware uses private GitHub repositories to register infected hosts, fetch AES decryption keys, and download commands or payloads. In certain variants, it also uses Domain Name System (DNS) queries as part of its keying mechanisms.

SHELBY exhibits several advanced evasion techniques, including anti-sandbox techniques, reflective code loading, memory-only execution, and maintains persistence via Windows Registry keys, making it highly evasive.

RECOMMENDATIONS   

Restrict GitHub API access to approved systems and user accounts only. Implement outbound network controls to block unauthorized systems from communicating with GitHub’s API endpoints.

Continuously monitor for known malicious domains, IP addresses, and file hashes associated with the campaign. Integrate shared Indicators of Compromise (IOCs) into security tools (e.g., Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), firewall) for proactive detection and blocking.

Audit and generate alerts for the creation or modification of Run and RunOnce registry keys that reference non-whitelisted or unsigned binaries, as these are commonly exploited for malware persistence.

Conduct targeted security awareness training to help employees recognize spear-phishing tactics and signs of internal email compromise. Emphasize caution when opening attachments or clicking links, even from familiar contacts, especially if the context seems unusual.

Deploy advanced email filtering technologies with features such as attachment sandboxing, URL rewriting, and spoofing protection to block phishing lures and malicious payloads before delivery.

Enforce the principle of least privilege for email, GitHub, and cloud service accounts. Require Multi-Factor Authentication (MFA) for all externally accessible accounts to mitigate the risk of unauthorized access.

Splunk Releases Security Update to Address Vulnerabilities in Multiple Components

Splunk has released a security update addressing eight vulnerabilities across several components, including Splunk Cloud Platform, Splunk Enterprise, Splunk Secure Gateway App, and the Splunk App for Lookup File Editing. In addition, the update includes fixes for multiple CVEs related to third-party packages in the following components: Splunk Infrastructure Monitoring Add-on, Splunk Add-on for Microsoft Cloud Services, Splunk DB Connect, Splunk App for Data Science and Deep Learning, and Splunk Enterprise.

Of the eight vulnerabilities reported, two are rated as high severity, five as medium, and one as low. The most critical vulnerabilities addressed in this update are CVE-2025-20229 and CVE-2025-20231, both rated high.

CVE-2025-20229 affects Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208. It allows a low-privileged user without “admin” or “power” roles to perform remote code execution (RCE) by uploading a file to the $SPLUNK_HOME/var/run/splunk/apptemp directory due to missing authorization checks.

CVE-2025-20231 affects Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, as well as versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform. This vulnerability enables a low-privileged user to run a search using the permissions of a higher-privileged user, potentially exposing sensitive information. Furthermore, the Splunk Secure Gateway exposes user session and authorization tokens in plain text within the splunk_secure_gateway.log file when calling the /services/ssg/secrets REST endpoint. Exploiting this flaw requires phishing the victim and tricking them into initiating a request from their browser. An authenticated low-privileged user cannot exploit this vulnerability independently without such interaction.

RECOMMENDATIONS   

Ensure all systems are patched and updated.

VMware Resolves Authentication Bypass Vulnerability in VMware Tools for Windows

VMware has issued a security update to address a high-severity vulnerability in VMware Tools for Windows (CVE-2025-22230).

CVE-2025-22230 is an authentication bypass vulnerability caused by improper access control. A malicious actor with non-administrative privileges on a Windows guest VM may be able to perform certain high-privilege operations within that VM.

VMware has resolved this issue in VMware Tools for Windows version 12.5.1.

RECOMMENDATIONS   

Ensure all systems are patched and updated.

IngressNightmare Exposes Critical Vulnerabilities in Ingress-NGINX Controller for Kubernetes

IngressNightmare is a collection of five vulnerabilities identified in the Ingress-NGINX Controller for Kubernetes—a widely used open-source ingress controller built on NGINX, designed to manage external access to services within Kubernetes clusters. It’s worth noting that these vulnerabilities do not impact the NGINX Ingress Controller, which is a separate ingress controller implementation for NGINX and NGINX Plus.

Of the five vulnerabilities reported, one is rated critical, three are high, and one is medium in severity. When chained together, these flaws could allow unauthenticated remote attackers to execute code, access secrets, and potentially take control of Kubernetes clusters. The most severe of them, CVE-2025-1974, enables remote code execution via the admission controller, significantly increasing its impact.

Microsoft has republished these CVEs, confirming that some of the vulnerabilities may affect customers running this component in their Kubernetes clusters. Customers managing their own Kubernetes NGINX Ingress Controller are advised to patch the vulnerabilities manually. For customers using Managed NGINX Ingress with the application routing add-on on Azure Kubernetes Service (AKS), no action is required, as patches are currently being rolled out to all regions and should be completed within a few days.

RECOMMENDATIONS   