Top Middle East Cyber Threats – August 06th, 2024
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead.
Hackers Target Software Developers with DEV#POPPER Malware
The threat actors behind an ongoing malware campaign targeting software developers have demonstrated new malware and tactics, expanding their focus to include Windows, Linux, and macOS systems. The activity cluster, dubbed DEV#POPPER has targeted victims across South Korea, North America, Europe, and the Middle East.
DEV#POPPER is the moniker assigned to an active malware campaign that tricks software developers into downloading booby-trapped software hosted on GitHub under the guise of a job interview. The attack tactic typically involves the threat actors posing as interviewers for a developer position and instructing candidates to download a ZIP archive file, which supposedly contains a coding assignment. New features added to the recent samples include the use of enhanced obfuscation, AnyDesk remote monitoring and management (RMM) software for persistence, and improvements to the FTP mechanism used for data exfiltration.
Furthermore, the Python script acts as a conduit to run an ancillary script responsible for stealing sensitive information from various web browsers, including Google Chrome, Opera, and Brave, across different operating systems.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking on or opening untrusted or unknown links, files, or attachments.
- Don’t allow macros for unknown MS Office files.
- Enable software restriction policies and application whitelisting.
- Ensure that your email server is configured to block any suspicious files.
- Enforce the restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviors and IoCs.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing and suspicious emails.
Fake Microsoft Login Pages Target UAE Users in Credential Theft Campaign
A new phishing campaign has been identified targeting individuals and organizations in the United Arab Emirates. The campaign uses spoofed Microsoft login pages to steal user credentials. The phishing emails falsely claim that certain services have been disabled and prompt recipients to verify their accounts.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking on or opening untrusted or unknown links, files, or attachments.
- Implement MFA on all accounts to add an extra layer of security.
- Ensure that your email server is configured to block any suspicious links and attachments.
- Monitor your network for abnormal behaviors and IoCs.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing and suspicious emails.
Ransomware Groups Exploit VMware ESXi Flaw to Deploy Malware
A recently patched security flaw impacting VMware ESXi hypervisors has been actively exploited by “several” ransomware groups to gain elevated permissions and deploy file-encrypting malware.
The attacks involve the exploitation of CVE-2024-37085 (CVSS score: 6.8), an Active Directory integration authentication bypass that allows an attacker to gain administrative access to the host.
A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it has been deleted from AD. In other words, escalating privileges on ESXi to the administrator level was as simple as creating a new AD group named “ESXi Admins” and adding any user to it, or renaming any existing group in the domain to “ESXi Admins” and adding a user to the group.
Microsoft, in a recent analysis, reported observing ransomware operators such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest leveraging post-compromise techniques to deploy Akira and Black Basta.
RECOMMENDATIONS
- Ensure that all domain-joined ESXi hypervisors have the latest security updates released by VMware.
If installing updates is not feasible, consider the following recommendations to mitigate risk:
- Validate that the group “ESX Admins” exists in the domain and is properly secured.
- Manually deny access to this group by adjusting settings directly in the ESXi hypervisor. If full admin access for the Active Directory ESX admins group is not desired, you can disable this behavior by using the advanced host setting: ‘Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd.’
- Change the admin group to a different group in the ESXi hypervisor.
- Add custom detections in XDR/SIEM for the new group name.
- Configure ESXi logs to be sent to a SIEM system and monitor for suspicious full administrative access.
- Identify critical assets on your network, such as ESXi hypervisors and vCenters (a centralized platform for managing VMware vSphere environments), and ensure they are protected with the latest security updates, appropriate monitoring procedures, and robust backup and recovery plans.
- Deploy authenticated scans of network devices to identify vulnerabilities in network devices such as ESXi.
Hacktivist Group Sylhet Gang Launches DDoS Attack on UAE Bank
Recent intelligence indicates that the hacktivist group known as Sylhet Gang has claimed responsibility for a successful Distributed Denial of Service (DDoS) attack against a UAE-based bank. This group has a history of similar attacks targeting entities within the United Arab Emirates.
RECOMMENDATIONS
- Ensure having sufficient bandwidth in your organization and provide redundancy by distributing traffic using load balancers.
- Configure your network hardware to defend against DDoS attacks by filtering unwanted ports and protocols.
- Deploy DDoS protection solutions to safeguard your servers from both network and application layer DDoS attacks.
- Ensure all systems are patched and updated.
- Monitor all web-based activities continuously for unusual or suspicious behavior.
- Regularly review logs for any signs of attempted or successful exploitation.
Google Chrome Security Update Addresses Critical Vulnerabilities
Google has published a security update to address multiple vulnerabilities in the Chrome browser that are now fixed in the latest version (127.0.6533.88/89 for Windows and Mac, and 127.0.6533.88 for Linux).
The update includes three security fixes contributed by external researchers. Out of these three contributed fixes, one was rated as critical and two as high in severity.
None of the vulnerabilities were found to be exploited in the wild at the time of releasing this advisory.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
References
https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop_30.html