Threat advisories

Top Middle East Cyber Threats – January 14, 2025

Jan-2025 2 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.  

EAGERBEE Backdoor Exploits Middle East Targets

The EAGERBEE backdoor has been deployed against ISPs and governmental entities in the Middle East, exploiting vulnerabilities like ProxyLogon (CVE-2021-26855) to gain initial access. Attackers used service injection techniques to execute the backdoor while employing tools such as attrib.exe and net.exe for persistence, lateral movement, and data exfiltration.

EAGERBEE’s modular plugins enable file manipulation, process and service management, and remote access. Command-and-control (C2) communication relies on encrypted configurations and proxies to IPs such as 185.82.217[.]164 and 45.90.58[.]103. Notably, the backdoor exhibits significant overlaps with the CoughingDown malware framework.

This campaign underscores the exploitation of vulnerabilities, abuse of system services, and use of advanced malware frameworks. Organizations are advised to monitor for signs of hidden malware, lateral movement through shared resources, and C2 traffic to known malicious IPs. The ongoing exploitation of vulnerabilities like ProxyLogon highlights the critical need for timely patch management to safeguard infrastructure.

Recommendations

Ensure all systems are patched and updated.

Avoid clicking or opening untrusted or unknown links, files, or attachments.

Enable software restriction policies and application whitelisting.

Configure email servers to block suspicious files.

Enforce Restricted PowerShell script execution policies for end users.

Monitor your network for abnormal behaviors and IoCs.

Ensure frequent backups are in place.

Educate employees on detecting and reporting phishing or suspicious emails.

Xsec 404 Group Launches DDoS Attacks on UAE Organizations

A recent wave of Xsec 404 DDoS attacks has targeted UAE-based organizations. The threat actor publicly claimed responsibility, sharing a check-host link as evidence of a successful DDoS attack against one of the targeted entities.

The Xsec 404 group, a part of a broader hacktivist network, has a track record of DDoS attacks and public defacements.

Recommendations

Maintain sufficient bandwidth and ensure redundancy using load balancers.

Configure network hardware to filter unwanted ports and protocols.

Deploy DDoS protection solutions to safeguard against network and application-layer DDoS attacks.

Ensure systems are consistently patched and updated.

Monitor web-based activities for unusual or suspicious behavior.

Regularly review logs for signs of attempted or successful exploitation.

Ivanti Publishes Security Update for Critical Vulnerabilities

Ivanti has published a security update addressing two critical vulnerabilities in Ivanti Connect Secure, Policy Secure, and ZTA Gateways.

CVE-2025-0282: A stack-based buffer overflow in Ivanti Connect Secure (prior to version 22.7R2.5), Ivanti Policy Secure (prior to version 22.7R1.2), and Ivanti Neurons for ZTA Gateways (prior to version 22.7R2.3). This allows remote unauthenticated attackers to achieve remote code execution.

CVE-2025-0283: A stack-based buffer overflow in the same versions, enabling a local authenticated attacker to escalate privileges.

Ivanti has acknowledged a limited number of exploited instances for CVE-2025-0282.

Recommendations

Ensure all systems are patched and updated.

Google Chrome Addresses High-Severity Vulnerabilities

Google has released a security update for the Chrome browser, addressing multiple issues in its latest versions: 131.0.6778.264/.265 for Windows and Mac, and 131.0.6778.264 for Linux.

Notable Vulnerability

CVE-2025-0291: A high-severity Type Confusion vulnerability in the V8 JavaScript engine. This issue occurs when resources are accessed with incompatible types, leading to logical errors and potential exploitation.

Recommendations