Threat advisories

Top Middle East Cyber Threats – September 03rd, 2024  

Sep-2024 4 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.  

Threat Actors Target UAE Using Fake Palo Alto Networks GlobalProtect Tool

A new, sophisticated malware campaign has been identified targeting users in the United Arab Emirates. The malware is disguised as the legitimate Palo Alto Networks GlobalProtect VPN tool, using a two-stage infection process and advanced Command-and-Control (C&C) infrastructure.

The malware is distributed via a setup.exe file, deceiving victims into believing they are installing a legitimate GlobalProtect agent. The actual malicious payload, GlobalProtect.exe, is deployed along with configuration files.

The malware utilizes a newly registered URL, “sharjahconnect,” designed to resemble a legitimate VPN portal. The malware can execute remote PowerShell commands, download and exfiltrate files, and encrypt communications. It also employs advanced evasion techniques to bypass sandbox environments and behavior analysis.

This malware campaign demonstrates a high level of sophistication and a clear focus on targeting organizations in the UAE.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Avoid clicking on or opening untrusted or unknown links, files, or attachments.

Enable software restriction policies and application whitelisting.

Ensure that your email server is configured to block any suspicious files.

Enforce the restricted PowerShell script execution policy for end users.

Monitor your network for abnormal behaviors and IoCs.

Ensure frequent backups are in place.

Educate employees about detecting and reporting phishing and suspicious emails.

Black Maskers Hacktivist Group Resurfaces with New Threats

The Black Maskers hacktivist group, previously involved in Distributed Denial of Service (DDoS) attacks and data exposures targeting UAE-based entities, has resurfaced with new threats and data leaks. The group has released a statement indicating an impending cyberattack targeting the region.

The Black Maskers have published a series of Telegram posts warning of severe consequences, including further data breaches and cyber attacks. The posts suggest an imminent threat to the UAE’s cybersecurity.

The group has leaked several datasets containing sensitive personal and organizational information related to various UAE-based entities. This information includes, but is not limited to, personal identifiers, contact details, and organizational data.

The exposed data spans various sectors, including education, government, and private enterprises

The exposure of sensitive personal data poses significant risks, including identity theft, financial fraud, and reputational damage. The threat of further cyber attacks could lead to disruptions in critical services, financial loss, and erosion of public trust in government institutions.

RECOMMENDATIONS

Ensure sufficient bandwidth in your organization and ensure redundancy by spreading traffic using load balancers.

Configure your network hardware against DDoS attacks by filtering unwanted ports and protocols.

Deploy a DDoS protection solution to protect your servers from both network and application layer DDoS attacks.

Ensure all systems are patched and updated.

Ensure constant monitoring of all web-based activities for unusual or suspicious behaviour.

Regularly review logs for any signs of attempted or successful exploitation.

Conduct a thorough audit of all potentially compromised systems to identify vulnerabilities and secure any exposed data.

Enhance encryption and access controls to mitigate the risk of further data exposures.

Peach Sandstorm Deploys New Custom Tickler Malware

Threat actor Peach Sandstorm (also known as APT33) has deployed a new custom multi-stage backdoor named Tickler. This malware has been used in targeted attacks against sectors such as satellite communications, oil and gas, as well as federal and state governments in the United States and the United Arab Emirates. These actions align with the threat actor’s long-term intelligence-gathering objectives and mark a significant evolution in their cyber operations.

Peach Sandstorm has continued to conduct password spray attacks across multiple sectors, with a particular focus on the educational sector for infrastructure procurement, and on the satellite, government, and defense sectors for intelligence collection. In these cases, the threat actor accessed existing Azure subscriptions or created new ones using the compromised accounts to host their infrastructure. Additionally, the group has engaged in intelligence gathering and potential social engineering via LinkedIn, targeting organizations in the higher education, satellite, and defense sectors.

RECOMMENDATIONS