Top Middle East Cyber Threats – September 17th, 2024
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
APT34 Malware Campaign Targets Government Infrastructure
Researchers have uncovered a recent campaign targeting government infrastructure, attributed to the threat group APT34 (also known as OilRig). The attacks involved custom malware families, Veaty and Spearal, along with a passive IIS backdoor, all used to compromise critical government systems. These malware families exhibit sophisticated techniques, including DNS tunnelling and email-based command-and-control (C2) channels, enabling the threat actors to infiltrate networks stealthily and maintain persistence.
APT34, also known for its previous campaigns in the Middle East, employed social engineering techniques to initiate infections, often using double-extension files disguised as legitimate government documents. The malware delivered by these files would establish persistence by modifying registry settings and executing custom PowerShell scripts. Spearal, in particular, utilized DNS tunnelling for data exfiltration, while Veaty leveraged compromised email accounts within government networks for C2 communications.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking on or opening untrusted or unknown links, files, or attachments.
- Enable software restriction policies and application whitelisting.
- Ensure that your email server is configured to block any suspicious files.
- Enforce the restricted PowerShell script execution policy for end users.
- Monitor your network for abnormal behaviors and IoCs.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing and suspicious emails.
Palo Alto Networks Addresses Critical Command Injection Vulnerability in PAN-OS
Palo Alto Networks has released a security update to address four PAN-OS vulnerabilities. One of these is rated as high severity, while the other three are rated as medium severity. The most severe vulnerability, identified as CVE-2024-8686 and rated as high severity, is described as a command injection vulnerability in Palo Alto Networks’ PAN-OS software. It allows an authenticated administrator to bypass system restrictions and execute arbitrary commands as root on the firewall. This vulnerability affects PAN-OS version 11.2.2 and is fixed in 11.2.3 and later versions.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Fortinet Security Update Addresses Multiple Vulnerabilities Across Key Products
Fortinet has released a security update to address multiple vulnerabilities across its products, including FortiAnalyzer, FortiManager, FortiADC, FortiEDR, FortiSandbox, FortiClient, and FortiSOAR.
This update addresses one high-severity vulnerability, eight medium-severity vulnerabilities, and one low-severity vulnerability. The high-severity vulnerability, identified as CVE-2024-4863, is described as “inadequate user validation and lack of brute force protection on change password requests.” This vulnerability in the FortiSOAR change password endpoint may allow an authenticated attacker to perform a brute force attack on user and administrator passwords via crafted HTTP requests.
| Version | Affected | Solution |
| FortiSOAR 7.5 | Not affected | Not Applicable |
| FortiSOAR 7.4 | 7.4.0 through 7.4.3 | Upgrade to 7.4.4 or above |
| FortiSOAR 7.3 | 7.3.0 through 7.3.2 | Upgrade to 7.3.3 or above |
| FortiSOAR 7.2 | 7.2 all versions | Migrate to a fixed release |
| FortiSOAR 7.0 | 7.0 all versions | Migrate to a fixed release |
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Cisco Addresses Multiple Vulnerabilities in IOS XR Software
Cisco has released a security update to address six vulnerabilities in IOS XR Software, including four high-severity and two medium-severity issues. Below is a list of all the reported vulnerabilities.
High – Cisco IOS XR Software Segment Routing for Intermediate System-to-Intermediate System Denial of Service Vulnerability
This vulnerability arises from insufficient input validation of ingress IS-IS packets. An attacker could exploit it by sending specially crafted IS-IS packets to an affected device after establishing an adjacency. A successful exploit could cause the IS-IS process on all affected devices participating in the Flexible Algorithm to crash and restart, leading to (DoS) condition.
High – Cisco IOS XR Software Network Convergence System Denial of Service Vulnerability
This vulnerability is caused by the incorrect classification of certain types of Ethernet frames received on an interface. An attacker could exploit it by sending specially crafted Ethernet frames to or through the affected device. A successful exploit could cause control plane protocol relationships to fail, leading to a (DoS) condition.
High – Cisco IOS XR Software UDP Packet Memory Exhaustion Vulnerability
This vulnerability exists because the Mtrace2 code does not properly handle packet memory. An attacker could exploit this by sending specially crafted packets to an affected device. A successful exploit could allow the attacker to exhaust the incoming UDP packet memory, preventing the device from processing higher-level UDP-based protocol packets and potentially causing a (DoS) condition.
High – Cisco IOS XR Software CLI Privilege Escalation Vulnerability
This vulnerability arises from insufficient validation of user arguments passed to specific CLI commands. An attacker with a low-privileged account could exploit this by using specially crafted commands at the prompt. A successful exploit could allow the attacker to elevate privileges to root.
Medium – Cisco IOS XR Software CLI Arbitrary File Read Vulnerability
This vulnerability arises from incorrect validation of the arguments passed to a specific CLI command. An attacker could exploit this by logging in to an affected device with low-privileged credentials and using the vulnerable command. A successful exploit could allow the attacker to access files in read-only mode on the Linux file system.
Medium – Cisco IOS XR Software Dedicated XML Agent TCP Denial of Service Vulnerability
This vulnerability arises from inadequate error validation of incoming XML packets. An attacker could exploit this by sending a sustained, crafted stream of XML traffic to a targeted device. A successful exploit could render XML TCP port 38751 unreachable while the attack traffic persists.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
References
https://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-isis-xehpbVNe
https://security.paloaltonetworks.com/
https://www.fortiguard.com/psirt/FG-IR-24-048
https://www.fortiguard.com/psirt?filter=1&version=
