Threat advisories

Top Middle East Cyber Threats – October 15th, 2024

Oct-2024 3 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

Earth Simnavaz Escalates Cyber Espionage Targeting UAE and Gulf Region

Recent investigations have uncovered significant cyber espionage activities by an advanced persistent threat (APT) group known as Earth Simnavaz, also referred to as APT34 or OilRig. This group has increased its operations against governmental entities, particularly in the United Arab Emirates (UAE) and the broader Gulf region. Their focus on exploiting vulnerabilities within critical infrastructure marks an escalation in efforts to compromise geopolitical security.

Earth Simnavaz’s sophisticated tactics include:

Exploiting a new backdoor to target Microsoft Exchange servers for extracting sensitive data.
Utilizing custom .NET tools, PowerShell scripts, and IIS-based malware to blend malicious activity with legitimate network traffic, avoiding detection.
Employing the ngrok tool for persistent access and remote management of compromised systems.
Exploiting CVE-2024-30088, which allows privilege escalation in affected systems.

The group’s increased activity highlights their ability to exploit both newly discovered and existing vulnerabilities, maintaining a stealthy presence in compromised networks for espionage purposes.

RECOMMENDATIONS

Ensure all systems are patched and updated, with priority given to vulnerabilities like CVE-2024-30088.
Avoid interacting with untrusted or unknown links, files, or attachments.
Implement advanced Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) solutions to detect and mitigate threats early.
Enable software restriction policies and application whitelisting.
Configure email servers to block suspicious attachments.
Enforce Restricted PowerShell script execution policies for end users.
Monitor your network for abnormal behaviours and Indicators of Compromise (IoCs).
Ensure frequent backups are in place.
Educate employees on detecting and reporting phishing and suspicious emails.

Palo Alto Networks Addresses Critical OS Command Injection

Palo Alto Networks has released seven security updates to address multiple vulnerabilities across their products, including PAN-OS, Expedition, Cortex XDR Agent, Cortex XSOAR, and GlobalProtect App. Among these, one vulnerability is rated critical, two are rated high, and four are medium severity.

The most critical vulnerability, CVE-2024-9463, involves an OS command injection in Palo Alto Networks Expedition. This vulnerability allows an unauthenticated attacker to execute arbitrary OS commands as root, potentially disclosing usernames, cleartext passwords, device configurations, and API keys from PAN-OS firewalls.

This vulnerability affects Expedition versions below 1.2.96 and has been fixed in version 1.2.96 and higher.

RECOMMENDATIONS

Ensure all systems are patched and updated

Fortinet’s Security Update Addresses Multiple Vulnerabilities

Fortinet has released a security update to address multiple vulnerabilities affecting FortiAnalyzer, FortiManager, FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager. This update includes two medium-severity and one low-severity vulnerability. Additionally, FortiGuard has updated product lists impacted by CVE-2024-6387, an OpenSSH vulnerability (regreSSHion), which was first notified in July 2024.

Below is a summary of the newly identified vulnerabilities:

[Medium] CVE-2024-45330 – Format String Bug in fazsvcd
A vulnerability in FortiAnalyzer’s fazsvcd daemon involving an externally controlled format string may allow a remote, privileged attacker with admin profile access to execute arbitrary code or commands via specially crafted requests.
[Medium] Buffer Overflow in fgfmd
A stack-based buffer overflow vulnerability affecting FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager could allow a remote attacker to execute arbitrary code or commands by sending crafted packets to the fgfmd daemon. Exploitation requires specific conditions that are outside the attacker’s control.
[Low] CVE-2024-33506 – Privileged Admin Access to Device Summary in Different ADOM
A vulnerability in FortiManager’s Administrative Domain (ADOM) could expose sensitive information to an unauthorized actor. This issue allows a remote, authenticated attacker assigned to one ADOM to access the device summary of other ADOMs via crafted HTTP requests.

RECOMMENDATIONS

Ensure all systems are patched and updated

Cisco Releases Security Update for Identity Services Engine Vulnerability

Cisco has released a security update to address a medium-severity CVE in the web-based management interface of Cisco Identity Services Engine (ISE).

CVE-2024-20515 is caused by insufficient data protection mechanisms for specific configuration settings. An attacker with Read-Only Administrator privileges could exploit this vulnerability by accessing a page containing sensitive data. A successful exploit could allow the attacker to view device credentials that are typically hidden from Read-Only Administrators.