Threat advisories

Top Middle East Cyber Threats – October 1st, 2024  

Oct-2024 3 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.  

Cisco Releases Security Update for High-Severity Vulnerability

Cisco has released a security update to address a high-severity vulnerability in Cisco IOS XE Software. This vulnerability affects Cisco products running a vulnerable release of Cisco IOS XE Software that has the HTTP Server feature and the service internal configuration command enabled.

The vulnerability tracked as CVE-2024-20437 is rated as high in severity due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading an already authenticated user to follow a crafted link. A successful exploit could allow an unauthenticated remote attacker to perform a cross-site request forgery (CSRF) attack and execute commands on the Command-Line Interface (CLI) of an affected device with the privileges of the targeted user.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Google Fixes High-Severity Vulnerabilities in Latest Update

Google has published a security update to address multiple vulnerabilities in the Chrome browser, which are now fixed in the latest version (129.0.6668.70/.71 for Windows and Mac, and 129.0.6668.70 for Linux).

Four out of five fixes are rated as high in severity.

RECOMMENDATIONS

Ensure all systems are patched and updated.

UNC1860 Exploits Custom Malware for Long-Term Access to High-Value Networks

UNC1860 is a cyber espionage group known for its role as an initial access provider and its ability to establish long-term persistent access to high-value networks.

UNC1860 uses specialized tools, such as custom malware controllers and passive backdoors, to gain initial footholds, allowing for the handoff of victim network access to other Iranian-sponsored groups. Key sectors targeted by UNC1860 include government and telecommunications networks in the Middle East, with evidence suggesting that the group collaborates with other actors, such as APT34.

UNC1860 uses GUI-operated malware controllers (TEMPLEPLAY and VIROGREEN) to facilitate remote access and internal exploitation, likely handing off control to other threat actors.

The group relies heavily on “main stage” passive backdoors (e.g., TEMPLEDOOR, FACEFACE, SPARKLOAD) that minimize detectable outbound traffic, enabling long-term persistent access while evading detection.

UNC1860’s advanced reverse engineering of Windows kernel components (e.g., WINTAPIX, TOFUDRV) and anti-virus software showcases its strong technical expertise in detection evasion.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Avoid clicking on or opening untrusted or unknown links, files, or attachments.

Enable software restriction policies and application whitelisting.

Don’t allow Macros for unknown MS Office files.

Ensure that your email server is configured to block any suspicious files.

Enforce the restricted PowerShell script execution policy for end users.

Monitor your network for abnormal behaviors and IoCs.

Ensure frequent backups are in place.

Educate employees about detecting and reporting phishing and suspicious emails.

Broadcom Releases Security Updates for VMware vCenter Server

Broadcom has released updates to address a critical security flaw impacting VMware vCenter Server that could result in remote code execution. The vulnerability, tracked as CVE-2024-38812 (CVSS score: 9.8), is described as a heap overflow vulnerability in the DCE/RPC protocol. A malicious actor with network access to the vCenter Server may trigger this vulnerability by sending a specially crafted network packet, potentially leading to remote code execution.

Additionally, VMware addressed another privilege escalation flaw in vCenter Server (CVE-2024-38813, CVSS score: 7.5) that could allow a malicious actor with network access to escalate privileges to root by sending a specially crafted network packet.

RECOMMENDATIONS