Threat advisories

Top Middle East Cyber Threats – July 23rd, 2024

Jul-2024 5 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.  

 In this blogpost, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead.

Threat Actors Exploit CrowdStrike Falcon Sensor Issue

Threat actors leveraged the recent issue with the content update for the CrowdStrike Falcon sensor, and multiple malicious activities exploiting this event as a lure theme were detected.

Threat actors have been using the issue as a lure to conduct various malicious activities, including:

Phishing Emails: Threat actors are sending phishing emails posing as CrowdStrike support to customers. These emails may contain malicious links or attachments aimed at harvesting credentials or delivering malware.

Impersonation in Phone Calls: Threat actors are impersonating CrowdStrike staff in phone calls to gain access to sensitive information or deceive customers into taking harmful actions.

False Claims by Independent Researchers: Some individuals are posing as independent researchers, claiming to have evidence linking the technical issue to a cyberattack. They are offering remediation insights, which are likely false and could lead to further compromise.

Selling Malicious Scripts: Scripts claiming to automate recovery from the content update issue are being sold. These scripts may contain malicious code intended to exploit systems further.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Ensure all communications claiming to be from CrowdStrike are verified through official channels. Do not click on links or open attachments from unsolicited emails.

Educate employees about the current threat landscape, emphasizing the tactics used by threat actors in this campaign.

Implement monitoring and blocking of identified malicious domains at the network perimeter.

SolarWinds Patches 11 Critical Flaws in Access Rights Manager Software

SolarWinds has addressed a set of critical security flaws impacting its Access Rights Manager (ARM) software that could be exploited to access sensitive information or execute arbitrary code.

Of the 11 vulnerabilities, seven are rated critical in severity and carry a CVSS score of 9.6 out of 10.0. The remaining four weaknesses have been rated high in severity, each with a CVSS score of 7.6.

The most severe of the flaws are listed below:

CVE-2024-23472 – SolarWinds ARM Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability

CVE-2024-28074 – SolarWinds ARM Internal Deserialization Remote Code Execution Vulnerability

CVE-2024-23469 – SolarWinds ARM Exposed Dangerous Method Remote Code Execution Vulnerability

CVE-2024-23475 – SolarWinds ARM Traversal and Information Disclosure Vulnerability

CVE-2024-23467 – SolarWinds ARM Traversal Remote Code Execution Vulnerability

CVE-2024-23466 – SolarWinds ARM Directory Traversal Remote Code Execution Vulnerability

CVE-2024-23471 – SolarWinds ARM CreateFile Directory Traversal Remote Code Execution Vulnerability.

Successful exploitation of these vulnerabilities could allow an attacker to read and delete files and execute code with elevated privileges.

RECOMMENDATIONS

Ensure all systems are patched and updated.

CrowdStrike Software Update Causes Global Disruptions and Widespread System Crashes

Recently, CrowdStrike faced a significant incident due to a faulty software update released on July 19, 2024. This update caused widespread disruptions, including system crashes on Windows devices. The issue primarily affected systems with BitLocker encryption enabled, complicating the recovery process as it often required a recovery key stored on a server that might also have been impacted by the crash. The problem was linked to a logic error in the Windows sensor client related to named pipes screening in the configuration file.

The outage had a global impact, affecting various sectors such as airlines, banks, and media outlets, causing significant operational disruptions. CrowdStrike has been working with affected clients to resolve the issue; but the recovery process is expected to take several days due to the need for manual intervention on each affected machine.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Test all updates rigorously in a sandbox before production deployment to prevent similar issues

Implement redundant systems and backups to avoid single points of failure. Diversify software and hardware suppliers to reduce dependency on a single vendor.

Maintain verified backups of all critical systems and data, stored in multiple locations, including offsite or cloud storage.

Implement continuous monitoring and automated testing, including regular vulnerability scans and penetration testing, to identify and mitigate potential issues proactively.

Cisco Addresses Identity Arbitrary File Upload Vulnerability

Cisco has released a security update to address a high-severity vulnerability (CVE-2024-20296) in Identity Services Engine (ISE) that could allow an authenticated, remote attacker to upload arbitrary files to an affected device. To exploit this vulnerability, an attacker would need at least valid Policy Admin credentials on the affected device.

This vulnerability is due to improper validation of files uploaded to the web-based management interface. An attacker could exploit this vulnerability by uploading arbitrary files to an affected device. A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and elevate privileges to root.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Oracle July Patch Update Fixes Multiple Vulnerabilities

Oracle has published a security update to address multiple vulnerabilities as part of its Critical Patch Update for July 2024.

The update includes 386 security patches across multiple product families. Out of these, 25 patches were classified as critical, 175 as high, 177 as medium, and 9 as low in severity. Several of these vulnerabilities can be exploited remotely without authentication. A remote attacker exploiting these vulnerabilities could perform unauthorized operations or unauthorized deletion or falsification of sensitive information.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Google Chrome Security Update Addresses Critical Vulnerabilities

Google has published a security update to address multiple vulnerabilities in the Chrome browser. These vulnerabilities are now fixed in the latest Chrome version (126.0.6478.182/183 for Windows and Mac, and 126.0.6478.182 for Linux).

The update includes ten security fixes, including eight vulnerabilities contributed by external researchers. All reported vulnerabilities are rated as high in severity, and none have been found to be exploited in the wild.

RECOMMENDATIONS