Top Middle East Cyber Threats – March 25th, 2025 - Help AG: Next-Gen Cybersecurity Services in the Middle East

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

Cybercriminals Exploit Ramadan to Launch Fraudulent Campaigns

Cybercriminals are exploiting the spirit of Ramadan by launching fraudulent donation campaigns, fake crypto giveaways, and deceptive e-commerce sales.

The rise in scams during Ramadan underscores the ever-evolving tactics of cybercriminals who take advantage of religious generosity and the festive shopping rush for financial gain. From fake Zakat assistance programs to fraudulent giveaways, these scams prey on individuals’ trust, leading to significant financial and personal losses.

The increasing sophistication of these frauds calls for a proactive approach, combining public awareness, stronger cybersecurity measures, and collaboration between financial institutions, retailers, and law enforcement. By staying informed, verifying sources, and adopting secure online practices, individuals can better protect themselves from falling victim to these deceptive schemes.

RECOMMENDATIONS  

Avoid clicking on unsolicited links in emails, SMS, or social media messages promising giveaways or donations.

Verify the legitimacy of donation requests by donating only through trusted, official charitable organizations.

Be cautious of crypto-based donation campaigns that promise high returns or anonymous giving options.

Do not connect your crypto wallet to unknown websites, especially those promising free airdrops or rewards.

Check the legitimacy of crypto tokens before investing, ensuring they have locked liquidity and reputable backers.

Confirm the authenticity of e-commerce sites before making purchases, particularly those offering high-discount Ramadan sales.

Look for red flags on social media promotions, such as newly created accounts, fake verification badges, and generic branding.

Report fraudulent social media posts and scam websites to relevant authorities or platform security teams.

Use multi-factor authentication (MFA) on all financial accounts to prevent unauthorized transactions.

Educate employees and consumers about Ramadan-themed scams through security awareness campaigns.

Oracle Cloud Breached: Threat Actor Exfiltrates Sensitive Data

On March 21, 2025, a post by the threat actor “rose87168” appeared on BreachForums, claiming to have breached Oracle Cloud’s login endpoint subdomain and exfiltrated approximately 6 million user records, including 662 .ae domains, from Oracle’s SSO and LDAP systems. This breach appears to have exposed highly sensitive enterprise data, including:

Java KeyStore (JKS) files

Encrypted SSO passwords

Enterprise Manager JPS keys

LDAP hashed passwords

Tenant identifiers and user profile attributes

The threat actor also posted a sample of the LDAP data and other related content via anonfile.io and demanded payment from companies listed in the dump in exchange for data removal. Additionally, the actor offered to trade the stolen data for zero-day exploits or decryption assistance.

Researchers identified the vulnerable subdomain as login.us2.oraclecloud.com, which was confirmed to be running an outdated version of Oracle Fusion Middleware 11G. This version is known to be affected by CVE-2021-35587, a vulnerability in Oracle Access Manager that allows remote code execution and full system compromise via unauthenticated HTTP access.

RECOMMENDATIONS

Immediately reset passwords for all compromised LDAP user accounts, focusing on privileged accounts (e.g., Tenant Admins).

Enforce strong password policies and Multi-Factor Authentication (MFA).

Regenerate SASL/MD5 hashes or migrate to a more secure authentication method.

Contact Oracle Support immediately to rotate tenant-specific identifiers (e.g., orclmttenantguid, orclmttenantuname) and discuss necessary remediation steps.

Regenerate and replace any SSO, SAML, or OIDC secrets and certificates associated with the compromised LDAP configuration.

Review LDAP logs for suspicious authentication attempts.

Investigate recent account activity to detect potential unauthorized access.

Implement continuous monitoring to track unauthorized access and anomalous behavior.

Rotate all SSO, LDAP, and associated credentials, enforcing strong password policies and MFA.

Conduct a comprehensive investigation to identify potential unauthorized access and mitigate further risks.

Continuously monitor dark web and threat actor forums for discussions related to the leaked data.

Report the incident to Oracle to verify a potential supply chain attack and seek patches or mitigations.

Implement strict access policies and adopt the principle of least privilege.

Enhance logging mechanisms to detect anomalies and prevent future breaches.

State-Sponsored Groups Exploit Zero-Day Vulnerability in Windows for Espionage and Data Theft

An unpatched security flaw in Microsoft Windows has been exploited by 11 state-sponsored groups across various regions for data theft, espionage, and financially motivated attacks.

The zero-day vulnerability, tracked by Trend Micro’s Zero Day Initiative (ZDI) as ZDI-CAN-25373, allows threat actors to execute hidden malicious commands on a victim’s machine by leveraging specially crafted Windows Shortcut (.LNK) or Shell Link files. This vulnerability stems from a User Interface (UI) Misrepresentation of Critical Information (CWE-451) weakness, which enables attackers to manipulate how Windows displays shortcut files. As a result, they can evade detection and execute code on vulnerable devices without the user’s knowledge.

The attacks exploit hidden command-line arguments within .LNK files to execute malicious payloads, making detection more challenging. Specifically, attackers pad the arguments with Line Feed (\x0A) and Carriage Return (\x0D) characters to bypass security measures.

To date, nearly 1,000 .LNK file artifacts exploiting ZDI-CAN-25373 have been uncovered. The majority of these samples have been linked to state-sponsored groups, including Evil Corp (Water Asena), Kimsuky (Earth Kumiho), Konni (Earth Imp), Bitter (Earth Anansi), and ScarCruft (Earth Manticore).

RECOMMENDATIONS  

Implement strict endpoint protection policies to block the execution of malicious .LNK files.

Regularly scan systems for hidden command-line arguments within .LNK files.

Apply -based detection to identify suspicious shortcut file executions that may lead to malicious payloads.

Restrict PowerShell and CMD execution from untrusted locations to prevent malware execution.

Enforce network segmentation to limit lateral movement in case of a successful compromise.

Train employees to avoid opening suspicious shortcut files received via email or from unknown sources.

Monitor network traffic for anomalous communication patterns associated with APT (Advanced Persistent Threat) activities.

Conduct regular security audits and patch management to mitigate known vulnerabilities.

Use application whitelisting to prevent unauthorized programs from executing via .LNK exploits.

Researchers Identify New Hacktivist Collective INDOHAXSEC Targeting Southeast Asia

Researchers have identified a relatively new hacktivist collective called INDOHAXSEC, which has been active within the Southeast Asia region. Over the past few months, the group has launched cyberattacks, including Distributed Denial of Service (DDoS) attacks and ransomware operations, targeting various entities and government organizations in the area. Their campaigns leverage a combination of custom-developed tools and publicly available malware sourced from the broader internet.

RECOMMENDATIONS  

Apply the principle of least privilege to minimize access to sensitive systems and data.

Enforce Multi-Factor Authentication (MFA) for all accounts, especially administrative ones.

Regularly patch and update internet-facing systems to mitigate vulnerability exploits.

Conduct awareness programs to educate users on phishing attacks and social engineering tactics.

Monitor network activity for abnormal and Indicators of Compromise (IoCs).

Take immediate action to block related IoCs across all relevant security controls across the o.

Ensure prompt implementation of related IoCs to strengthen security posture and mitigate potential threats.

Schedule frequent automated backups.

Maintain at least one backup offsite, preferably in an air-gapped or immutable storage system that ransomware cannot encrypt.

Google Patches Critical Use-After-Free Vulnerability in Chrome Browser

Google has published a security update to address multiple vulnerabilities in the Chrome browser, which have been fixed in the latest version (134.0.6998.117/.118 for Windows and Mac, and 134.0.6998.117 for Linux).

This update includes two security fixes, one of which was reported by external researchers. Google has rated the reported vulnerability (CVE-2025-2476) as Critical in severity. It is described as a Use-After-Free (UAF) issue in Google Lens—an image recognition technology developed by Google that uses neural network-based visual analysis to identify objects and provide relevant information.

Use-After-Free (UAF) vulnerabilities occur when a program continues to access a memory location after it has been freed or deallocated. This can lead to unexpected behavior, crashes, or serious security risks such as remote code execution or privilege escalation.

RECOMMENDATIONS  

Ensure all systems are patched and updated.

Cisco Releases IOS XR Security Update

Cisco has released patches to fix 10 security issues in Cisco IOS XR. Out of the 10 CVEs, 7 are classified as high severity and 3 as medium severity.

RECOMMENDATIONS  

Ensure all systems are patched and updated.

Palo Alto Networks Releases Update to Fix Security Vulnerabilities

Palo Alto Networks has released a security update to address 6 vulnerabilities in Palo Alto products, including GlobalProtect App, PAN-OS, and Prisma Access Browser. Of the 6 security issues fixed, one is rated as high severity, four as medium severity, and one as low severity. 

None of the addressed vulnerabilities were reported to have been exploited publicly at the time of releasing the advisory.

RECOMMENDATIONS  

Ensure all systems are patched and updated.

Apple Releases Update to Fix Zero-Day Vulnerability in iPads and iPhones

Apple has released a security update to address a zero-day vulnerability in iPads and iPhones.

The vulnerability, tracked as CVE-2025-24201, is described as maliciously crafted web content that may be able to break out of the Web Content Sandbox. Apple stated that they are aware of reports indicating that this issue may have been actively exploited in an extremely sophisticated attack against specifically targeted individuals using versions of iOS prior to iOS 17.2.

The issue has been addressed in the following products, with improved checks to prevent unauthorized actions:
Safari 18.3.1, visionOS 2.3.2, macOS Sequoia 15.3.2, iOS 18.3.2 and iPadOS 18.3.2.

The update is available for Apple Vision Pro, macOS Sequoia, macOS Ventura, macOS Sonoma, iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.

RECOMMENDATIONS  

Ensure all systems are patched and updated.

Ivanti Releases Update to Address Two Vulnerabilities

Ivanti has published a security update to address 2 vulnerabilities in Ivanti Neurons for MDM (Mobile Device Management) and Secure Access Client.

Of the 2, one is rated as high severity and the other as medium severity.

The high severity CVE, tracked as CVE-2025-22454, impacts the Windows version of Ivanti Secure Access Client. Insufficiently restrictive permissions in Ivanti Secure Access Client versions before 22.7R4 allow a local authenticated attacker to escalate their privileges.

The medium severity vulnerability affects Ivanti Neurons for MDM (N-MDM). An improper check for dropped privileges in Ivanti Neurons for MDM versions before R112 allows a remote authenticated attacker with admin privileges to retain their session. Ivanti did not assign a CVE for this security issue.

RECOMMENDATIONS  

Ensure all systems are patched and updated.

Fortinet Releases Update to Fix Vulnerabilities Across Multiple Products

Fortinet has released a security update to address 9 vulnerabilities in Fortinet products, including FortiSandbox, FortiManager, FortiAnalyzer/FortiAnalyzer-BigData, FortiWeb, FortiPAM, FortiProxy, and FortiSRA.

Of the 9 addressed vulnerabilities, 4 are rated as high severity and 5 as medium severity.

RECOMMENDATIONS  

Ensure all systems are patched and updated.

Microsoft Fixes Critical Vulnerabilities in Latest Patch Update – March 2025

Microsoft has addressed 56 CVEs affecting Windows and Windows Components, Office and Office Components, Azure, .NET and Visual Studio, Remote Desktop Services, DNS Server, and Hyper-V Server. With the addition of third-party CVEs, the total release addresses 67 CVEs.

Among the patches released this month, 6 are rated as critical, and 50 as important in severity. One of these CVEs is listed as publicly known/exploited, and six are under active attack at the time of releasing this advisory.