Threat advisories

Top Middle East Cyber Threats – August 20th, 2024

Aug-2024 7 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. Read on to learn about what you need to watch out for in the weeks ahead.

Charming Kitten Targets Middle East with New Malware “Cyclops”

Researchers have identified a new and sophisticated malware platform named Cyclops, attributed to the state-sponsored group Charming Kitten (APT35). Cyclops has been active since December 2023, primarily targeting entities in the Middle East.

Cyclops is a sophisticated malware platform written in Go, utilizing the go-svc library to run as a service on Windows systems. It allows operators to execute arbitrary commands, manipulate the file system, and use the infected machine to pivot into the network.

Upon startup, Cyclops loads an AES-128 encrypted configuration, which includes details about its command-and-control (C2) server.The malware uses SSH tunneling to forward ports to the C2 server and starts a built-in HTTPS server to handle incoming requests. The server utilizes a modified version of the gorilla/mux package for handling HTTPS requests, with basic HTTP authentication implemented manually.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking on or opening untrusted or unknown links, files, or attachments.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious files.
Enforce the restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing and suspicious emails.

APT42 Launches Phishing Campaign Against Multiple Countries

Cyber group APT42 has initiated a phishing campaign targeting the U.S., UK, and other countries.

In its phishing campaigns, APT42 employs various tactics, including the use of malware, phishing pages, and malicious redirects. The group frequently exploits popular services such as Google Sites, Google Drive, Gmail, Dropbox, and OneDrive to host its malicious content.

A notable strategy employed by APT42 involves creating fake domains that closely resemble legitimate organizations, a technique known as typosquatting.Phishing links are often sent directly via email or embedded within seemingly benign PDF attachments, designed to lure the target into entering their credentials on a fake landing page. APT42’s phishing kits are particularly dangerous, as they are sophisticated enough to bypass multi-factor authentication.

Vigilance and robust cybersecurity measures are essential to protect sensitive information and maintain the security of critical assets.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Avoid clicking on or opening untrusted or unknown links, files, or attachments.
Enable software restriction policies and application whitelisting.
Ensure that your email server is configured to block any suspicious files.
Enforce the restricted PowerShell script execution policy for end users.
Monitor your network for abnormal behaviors and IoCs.
Ensure frequent backups are in place.
Educate employees about detecting and reporting phishing and suspicious emails.

F5 Releases Security Update for BIG-IP HSB DoS Vulnerability CVE-2024-39778

F5 has released a security update to address a high-severity vulnerability in BIG-IP, affecting versions 17.1.0, 16.1.0 – 16.1.4, and 15.1.0 – 15.1.10. This vulnerability, identified as CVE-2024-39778, has been assigned a CVSSv4 score of 8.7 and a CVSSv3 score of 7.5.

The issue arises when a stateless virtual server is configured on a BIG-IP system with a High-Speed Bridge (HSB). Under certain conditions, undisclosed requests can cause the virtual servers to stop processing client connections, leading to the termination of the Traffic Management Microkernel (TMM). This results in traffic disruption as the system automatically reboots. This vulnerability allows a remote, unauthenticated attacker to trigger a denial-of-service (DoS) attack on the BIG-IP system.

For systems using vCMP guests, an automatic reboot may not fully resolve the issue and could potentially disrupt traffic until a manual reboot of the vCMP host is performed. On systems not configured with vCMP, the automatic reboot effectively resolves the issue.

F5 has provided fixes for this vulnerability in BIG-IP versions 17.1.1 and 16.1.5.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Palo Alto Networks Addresses Command Injection Vulnerability in Cortex XSOAR (CVE-2024-5914)

Palo Alto Networks has released a security update to address a high-severity vulnerability in Cortex XSOAR versions prior to 1.12.33. Identified as CVE-2024-5914, this command injection issue in the Cortex XSOAR CommonScripts Pack carries a CVSSv4.0 score of 7.0. It could allow an unauthenticated attacker to execute arbitrary commands within the context of an integration container. The vulnerability is exposed when an integration utilizes the ScheduleGenericPolling or GenericPollingScheduledTask scripts from the CommonScripts pack.

As of now, Palo Alto Networks has stated that there is no evidence of malicious exploitation of this vulnerability.

RECOMMENDATIONS

Ensure all systems are patched and updated.
Remove any usage of the ScheduleGenericPolling or GenericPollingScheduledTask scripts from the CommonScripts pack.

Server Killers Execute DDoS Attack Targeting UAE Entities

Recent intelligence reports have identified that the hacktivist group known as “Server Killers” has successfully executed a Distributed Denial of Service (DDoS) attack against multiple UAE-based entities. This attack, which lasted for 5 hours, marks the first known instance of “Server Killers” targeting entities within the UAE.

Threat Actor Profile

Name: Server Killers
Active Since: August 2023
Target Regions: Multiple regions, with a primary focus on entities outside the UAE until this recent event
Tactics: DDoS attacks, primarily focused on causing disruption to services

The recent attack demonstrates the capability and intent of “Server Killers” to disrupt critical services within the UAE. This successful execution underscores the importance of enhancing security measures to defend against potential future activities.

RECOMMENDATIONS

Ensure sufficient bandwidth in your organization and ensure redundancy by spreading traffic using load balancers.
Configure your network hardware to protect against DDoS attacks by filtering unwanted ports and protocols.
Deploy DDoS protection solutions to safeguard your servers from both network and application layer DDoS attacks.
Ensure all systems are patched and updated.
Ensure constant monitoring of all web-based activities for unusual or suspicious behaviour.
Regularly review logs for any signs of attempted or successful exploitation.

Microsoft Releases Patch Updates for August 2024

Microsoft has released updates addressing 99 CVEs affecting Windows and its components, Office and its components, .NET and Visual Studio, Azure, Co-Pilot, Microsoft Dynamics, Teams, and Secure Boot. Including third-party bugs, the total CVE count rises to 102.

Among the patches released this month, eleven are rated as critical, seven as high, eighty-one as important, and three as moderate in severity. Four of these CVEs are listed as publicly known, while six are under active attack.

CVE-2024-38178 – Scripting Engine Memory Corruption Vulnerability: This vulnerability requires the target to be using Edge in Internet Explorer mode. Once Edge is in IE mode, it only takes a user clicking a link to trigger code execution.
CVE-2024-38193 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability: This privilege escalation vulnerability allows attackers to execute code with SYSTEM privileges. Such vulnerabilities are often combined with code execution bugs to take full control of a target. Microsoft has not provided specific details on the extent of exploitation, but given the nature of the vulnerability, if it is not already being used in ransomware attacks, it is likely to be soon.
CVE-2024-38106 – Windows Kernel Elevation of Privilege Vulnerability: This is another privilege escalation vulnerability under active attack that grants SYSTEM privileges. Microsoft categorizes the exploit complexity as high because the attacker needs to exploit a race condition. However, some race conditions are easier to exploit than others.
CVE-2024-38107 – Windows Power Dependency Coordinator Elevation of Privilege Vulnerability: A privilege escalation vulnerability that leads to SYSTEM privileges is currently being exploited in the wild. The Power Dependency Coordinator (PDC), a component of Modern Standby introduced in Windows 8, was designed to allow devices to “instantly” wake from sleep. This example demonstrates how adding capabilities can often increase the attack surface.
CVE-2024-38189 – Microsoft Project Remote Code Execution Vulnerability: Exploitation requires the victim to open a malicious Microsoft Office Project file on a system where the “Block macros from running in Office files from the Internet” policy is disabled, and VBA Macro Notification Settings are not enabled. This configuration allows the attacker to perform remote code execution.

RECOMMENDATIONS