Threat advisories

Top Middle East Cyber Threats – February 25th, 2025   

Feb-2025 3 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.   \

DeceptiveDevelopment Exploits Recruitment to Target Developers

Researchers have identified an ongoing cyber-espionage campaign, DeceptiveDevelopment, targeting freelance software developers worldwide. The attackers pose as legitimate recruiters, distributing trojanized coding tests embedded with BeaverTail and InvisibleFerret malware. These strains are designed to steal cryptocurrency wallets, login credentials, and sensitive data, posing a significant risk to developers and the organizations that rely on them.

This campaign underscores the growing trend of cybercriminals exploiting job recruitment processes to target skilled professionals. Given that software developers handle sensitive codebases and credentials, such compromises could extend beyond personal losses, threatening corporate networks, customer data, and financial assets.

RECOMMENDATIONS  

Confirm the legitimacy of recruiters and their associated companies before engaging in job-related communications.

Run unfamiliar code or projects in secure, isolated environments, such as virtual machines, to prevent system compromise.

Ensure antivirus and anti-malware solutions are up to date to detect and block known threats.

Maintain secure backups of critical data to enable recovery in case of an incident.

Stay alert for unexpected system behaviours, such as unauthorized access attempts or unfamiliar processes.

Ghost Actors Hijack Outdated Systems to Launch Global Cyber Attacks

Ghost actors have been targeting victims running outdated software and firmware on internet-facing services. This indiscriminate exploitation of vulnerabilities has led to the compromise of organizations in over 70 countries., Ghost actors conduct these widespread attacks primarily for financial gain. Victims include critical infrastructure, educational institutions, healthcare providers, government networks, religious organizations, technology and manufacturing companies, and numerous small- and medium-sized businesses.

Ghost actors frequently rotate their ransomware payloads, change file extensions for encrypted files, modify ransom note text, and use multiple ransom email addresses, making attribution challenging over time. They have been linked to several aliases, including Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Identified ransomware samples used in their attacks include Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.

Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet-facing servers. They target networks with unpatched, well-known vulnerabilities, taking advantage of organizations that have not applied available security updates.

RECOMMENDATIONS  

Maintain offline or segmented backups to ensure recovery without paying ransom.

Apply security updates promptly to patch known software and firmware vulnerabilities.

Segment networks to restrict lateral movement from infected devices.

Enforce phishing-resistant MFA for all privileged accounts and email services.

Train employees to recognize and report phishing attempts.

Monitor and restrict unauthorized PowerShell usage to prevent abuse.

Apply the principle of least privilege for PowerShell access.

Implement allowlisting for applications, scripts, and network traffic.

Identify and investigate abnormal network activity to detect ransomware indicators.

Monitor for unusual administrative commands, scripts, and execution patterns.

Disable unused ports to reduce exposure.

Secure remote access using properly configured VPNs and firewalls.

Enhance email security with advanced filtering and blocking of malicious attachments.

Enable DMARC, DKIM, and SPF to prevent email spoofing attacks.

Google Releases Update to Address Multiple Vulnerabilities in Chrome

Google has released a security update to address multiple vulnerabilities in the Chrome browser, now fixed in the latest version (133.0.6943.126/.127 for Windows and Mac, and 133.0.6943.126 for Linux).

The update includes three security fixes reported by external researchers. Of these, two are classified as High severity and one as medium severity.

RECOMMENDATIONS  

Ensure all systems are patched and updated.

SolarWinds Releases Update, Fixing Critical Vulnerabilities

SolarWinds has released a security update to address multiple vulnerabilities affecting SolarWinds Platform, Kiwi NG, and SolarWinds Web Help Desk.

The update includes five security fixes, categorized as one high, two medium, and two low-severity CVEs. The high-severity vulnerability, tracked as CVE-2024-52612, affects SolarWinds Platform versions 2024.2.1 and earlier. This vulnerability is a reflected cross-site scripting (XSS) issue caused by insufficient input sanitization. Exploitation requires authentication by a high-privileged account.

RECOMMENDATIONS  