Top Middle East Cyber Threats – February 11th, 2025
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
Cisco Releases Patches to Address Critical ISE Vulnerabilities
Cisco has released patches to fix two critical vulnerabilities in its Identity Services Engine (ISE) security policy management platform.
The security flaws, CVE-2025-20124 and CVE-2025-20125, can be exploited by authenticated remote attackers with read-only admin privileges to execute arbitrary commands as root and bypass authorization on unpatched devices. These vulnerabilities affect Cisco ISE (Cisco Identity Services Engine) and Cisco ISE Passive Identity Connector (ISE-PIC) appliances, regardless of device configuration.
- CVE-2025-20124 arises from insecure deserialization of user-supplied Java byte streams. Attackers can exploit this vulnerability by sending a crafted serialized Java object to an affected API, potentially allowing them to execute arbitrary commands and escalate privileges.
- CVE-2025-20125 is caused by insufficient authorization in a specific API and improper validation of user-supplied data. Attackers can exploit it using maliciously crafted HTTP requests to obtain sensitive information, modify the system’s configuration, and reload the device.
Cisco has released software updates that address this vulnerability.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
F5 Releases Update to Address High-Severity BIG-IP Vulnerability
F5 has released a security update to fix a high-severity vulnerability in BIG-IP. The issue arises when SNMP v1 or v2c is disabled on a BIG-IP system, allowing unspecified requests to cause increased memory usage.
As a result, system performance may degrade until the snmpd process is either automatically or manually restarted. This vulnerability enables a remote, unauthenticated attacker to degrade service, potentially leading to a denial-of-service (DoS) attack on the BIG-IP system. It is a control plane issue that may also impact data plane traffic handling.
The affected BIG-IP versions include:
- 17.x: Vulnerable versions range from 17.1.0 to 17.1.1, with the fix available in version 17.1.2.
- 16.x: Vulnerable versions range from 16.1.0 to 16.1.5, fixed via Hotfix-BIGIP-16.1.5.2.0.7.5-ENG.iso.
- 15.x: Vulnerable versions range from 15.1.0 to 15.1.10, fixed via Hotfix-BIGIP-15.1.10.6.0.11.6-ENG.iso.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Cisco Addresses SNMP Vulnerabilities in IOS, IOS XE, and IOS XR Software
Cisco has published a security update to address multiple vulnerabilities in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software. These vulnerabilities could allow an authenticated, remote attacker to cause a denial-of-service (DoS) condition on an affected device.
Devices are impacted if they are running a vulnerable release of Cisco IOS, IOS XE, or IOS XR Software with the SNMP feature enabled. The vulnerabilities affect all SNMP versions (1, 2c, and 3).
Cisco has released software updates to address these issues. Currently, no workarounds are available.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Google Releases Update to Address Multiple Security Issues in Chrome
Google has published a security update to address multiple security issues in the Chrome browser, which are now fixed in the latest version (133.0.6943.53 for Linux, and 133.0.6943.53/54 for Windows and Mac).
The update includes 12 security fixes, 3 of which were reported by external researchers. Of the 3 contributed CVEs, 2 are classified as high severity and 1 as medium severity. At the time of the advisory release, none of these vulnerabilities were known to be exploited in the wild.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Google Shares Insights on APT41’s Use of POISONPLUG.SHADOW
Since 2022, the Google Threat Intelligence Group (GTIG) has been tracking cyber espionage operations linked to China-nexus actors utilizing POISONPLUG.SHADOW, a sophisticated modular backdoor associated with APT41. These operations leverage ScatterBrain, a custom obfuscating compiler designed to evade detection and analysis. The threat primarily targets entities across Europe, the Middle East, and the Asia-Pacific (APAC) region.
Research confirms that POISONPLUG is deployed by multiple related PRC-based threat groups, with POISONPLUG.SHADOW usage being more exclusive to APT41 clusters. This malware, also known as ShadowPad, integrates advanced obfuscation mechanisms, making it highly resistant to conventional detection and analysis techniques.
The POISONPLUG.SHADOW backdoor and its ScatterBrain obfuscator represent a significant advancement in the cyber espionage tactics employed by APT41.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking on or opening untrusted or unknown links, files, or attachments.
- Organizations must enhance threat detection, behavioral analysis, and incident response capabilities to counteract these evolving threats.
- Don’t allow Macros for unknown MSOffice files.
- Enable software restriction policies and application whitelisting.
- Ensure that email server is configured to block any suspicious attached files.
- Enforce the Restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviours and IoCs.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing / suspicious emails.
References
https://my.f5.com/manage/s/article/K000140933
https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop.html
