Top Middle East Cyber Threats – March 11th, 2025
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
SideWinder Expands Operations and Intensifies Cyber Attacks Globally
SideWinder has escalated its activities by updating its toolset and establishing an extensive infrastructure to distribute malware and maintain control over compromised systems. While its primary targets remain unchanged, there has been a significant rise in attacks on maritime infrastructure and logistics companies.
In 2024, the group launched major cyber-attacks across Africa, later shifting its focus to Asia, with a particular emphasis on North Africa. SideWinder also targeted nuclear power plants and energy sectors in South Asia, expanding its operations into new regions, especially in Africa.
The group continues to focus on government, military, and diplomatic entities. While its targeted sectors remain consistent, there has been a noticeable increase in attacks on the maritime and logistics industries, extending into Southeast Asia.
Additionally, SideWinder has been observed targeting entities linked to the nuclear energy sector. Other affected industries include telecommunications, consulting, IT services, real estate agencies, and hospitality.
RECOMMENDATIONS
- Apply the principle of least privilege to minimize sensitive systems and data.
- Enforce Multi-Factor Authentication (MFA) for all accounts, especially administrative ones.
- Regularly patch and update internet-facing systems to mitigate vulnerability exploits.
- Conduct awareness programs to educate users about phishing attacks and social engineering tactics.
- Monitor network activity for abnormal behaviors and indicators of compromise (IoCs).
- Ensure that IoCs are promptly implemented to enhance security posture and mitigate potential threats.
Cisco Secure Client Windows Vulnerability: DLL Hijacking Risk
A vulnerability has been identified in the interprocess communication (IPC) channel of Cisco Secure Client for Windows, which could allow an authenticated local attacker to perform a DLL hijacking attack on an affected device if the Secure Firewall Posture Engine (formerly HostScan), is installed on Cisco Secure Client.
This vulnerability arises from insufficient validation of resources loaded by the application at run time. An attacker could exploit it by sending a crafted IPC message to a specific Cisco Secure Client process. A successful exploit could enable the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid user credentials on the Windows system.
This vulnerability affects Cisco Secure Client for Windows versions earlier than 5.1.8.105 when the Secure Firewall Posture Engine is installed. The issue has been resolved in version 5.1.8.105.
RECOMMENDATIONS
- Ensure all impacted versions are patched and updated.
Threat Actors Exploit Social Media to Spread AsyncRAT Malware
Researchers have identified a malicious campaign targeting regions in the Middle East, North Africa, and parts of Europe and Asia. The attackers leverage social media by creating fake news groups and posting advertisements containing links to a file-sharing service or a Telegram channel. These links distribute a modified version of AsyncRAT malware, designed to search for cryptocurrency wallets and communicate with a Telegram bot.
A detailed analysis of the incidents and victim profiles revealed that the most targeted regions in this campaign were North Africa, the Middle East, and parts of Europe and Asia. The threat actor behind these attacks has been designated as “Desert Dexter”, named after one of the suspected individuals involved.
RECOMMENDATIONS
- Apply the principle of least privilege to minimize sensitive systems and data.
- Enforce Multi-Factor Authentication (MFA) for all accounts, especially administrative ones.
- Regularly patch and update internet-facing systems to mitigate vulnerability exploits.
- Conduct awareness programs to educate users about phishing attacks and social engineering tactics.
- Monitor network activity for abnormal behaviors and indicators of compromise (IoCs).
- Ensure that IoCs are promptly implemented to enhance security posture and mitigate potential threats.
Broadcom Issues Warning on Actively Exploited VMware Zero-Day Vulnerabilities
Broadcom has issued a warning to customers regarding three actively exploited VMware zero-day vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226), according to reports from the Microsoft Threat Intelligence Center.
These vulnerabilities affect multiple VMware ESX products, including VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation and Telco Cloud Platform.
CVE-2025-22224 is a Time-of-Check to Time-of-Use (TOCTOU) vulnerability in VMware ESXi and Workstation. A local, authenticated attacker with administrative privileges could exploit this flaw to achieve code execution on the virtual–machine executable (VMX) process.
CVE-2025-22225 is an arbitrary write vulnerability in VMware ESXi. A local, authenticated attacker with the necessary privileges could exploit this vulnerability through the VMX process to escape the sandbox.
CVE-2025-22226 is an information disclosure vulnerability in VMware ESXi, Workstation, and Fusion. A local, authenticated attacker with administrative privileges could trigger this flaw to force the VMX process to leak memory contents.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Google Releases Security Update to Fix Multiple Chrome Vulnerabilities
Google has published a security update to address multiple vulnerabilities in the Chrome browser, which have been fixed in the latest version (134.0.6998.35 for Linux, 134.0.6998.35/36 for Windows, and 134.0.6998.44/45 for Mac).
The update includes 14 security fixes, 9 of which were reported by external researchers. Among these 9 contributed fixes, one is rated as high severity, six as medium, and two as low.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
VMware Releases Critical Advisory Addressing Actively Exploited Vulnerabilities
VMware has issued a critical security advisory (VMSA-2025-0004) warning of active exploitation of three vulnerabilities affecting its ESXi, Workstation, and Fusion products. These vulnerabilities, CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 allow attackers to execute malicious code, escalate privileges, and leak sensitive memory data.
CVE-2025-22224: VMCI Heap-Overflow Vulnerability
This critical flaw in VMware’s Virtual Machine Communication Interface (VMCI) enables attackers with local administrative privileges on a virtual machine to execute code on the underlying host.
The vulnerability stems from a Time-of-Check to Time-of-Use (TOCTOU) race condition, leading to an out-of-bounds write. VMware has confirmed active exploitation in the wild, and the Microsoft Threat Intelligence Center has been credited with its discovery.
CVE-2025-22225: ESXi Arbitrary Write Vulnerability
Rated “Important” (CVSS 8.2), this vulnerability allows attackers with VMX process privileges to write arbitrary kernel data, bypassing sandbox protections. VMware notes that this flaw has been exploited in the wild but requires prior access to the VMX environment.
CVE-2025-22226: HGFS Information Disclosure Vulnerability
This medium-severity vulnerability (CVSS 7.1) affects VMware’s Host-Guest File System (HGFS) and allows attackers with VM admin rights to leak memory from the host’s VMX process. While less severe than the other flaws, it poses a significant risk for data exfiltration and has been observed in active attacks.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Researchers Uncover Spear-Phishing Campaign Targeting Critical Infrastructure in the Middle East
Researchers have revealed a newly identified threat actor cluster, UNK CraftyCamel, which launched a highly targeted spear-phishing campaign against organizations in the aviation, satellite communications, and critical transportation infrastructure sectors in the Middle East. The attack leveraged compromised business partner email accounts to send phishing emails containing a malicious ZIP archive, which ultimately delivered a custom Go-based backdoor named Sosano.
The attack chain included the use of polyglot files; a malicious LNK file disguised as an XLS spreadsheet, and a multi-stage loader that evaded detection by obfuscating payloads within images. The final payload, Sosano backdoor, established a C2 connection and enabled remote execution of commands, file listing, and additional payload downloads.
RECOMMENDATIONS
- Educate employees on recognizing phishing attempts to reduce the risk of initial compromise.
- Implement advanced email filtering solutions to detect and block malicious attachments.
- Utilize sandboxing technologies to analyze suspicious files in a controlled environment before execution.
- Keep software and security tools updated to mitigate vulnerabilities that could be exploited by such malware.
- Deploy endpoint detection and response (EDR) solutions to monitor and respond to malicious activities on endpoints.
- Regularly back up critical data and ensure backups are stored securely to prevent data loss from potential attacks.
- Restrict the execution of macros and scripts from untrusted sources to limit the execution of malicious code.
- Conduct regular security assessments to identify and remediate potential vulnerabilities within the organization.
References
https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop.html
https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/
