Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Middle East. Show all posts

New Cybersecurity Threat for the Middle Eastern Countries: OilRig Malware

 



Cybersecurity experts say that there is a new threat against Middle East organisations, and more specifically within the United Arab Emirates, and other Gulf countries. There is an Iranian gang cybercrime known as OilRig that aims to hunt login credentials for access into several organisations and personal systems, with a focus on infiltration of key infrastructures within the region.


Role of OilRig in Attacks

OilRig is another notorious state-sponsored hacking group. At other times, it was known by the designations APT43 and Cobalt Gipsy. Its origins date back to Iranian government sponsorship. And in previous campaigns, OilRig has mainly focused on exploiting exposed servers with web shells - a category of malicious software. This gives attackers the ability to take control of an affected server remotely and run PowerShell scripts from it. As such, such a gain in access allows it to facilitate attackers in finding deeper access into the system.

Once the group fully takes over the system, they exploit the flaw CVE-2024-30088. Microsoft discovered that it had patched this security vulnerability in June 2024 for the Windows operating system. This allows the attackers to elevate their privilege, which gives attackers access to the forbidden areas of the system, thus limiting their operations. According to Microsoft, this is a high-risk vulnerability with a base score of 7.0.


How the Malware Works

This attack utilises a malware referred to as STEEL HOOK, that is a very sophisticated piece of malware. STEALHOOK gathers sensitive information from the infected systems. It tumbles the gathered data with other legitimate data that would aid in its undetected operation. Then, it sends it back to the attackers using an Exchange server. This exfiltrated the data, keeping it hidden from cybersecurity defences. Since it moves as traffic, the attackers subtly can extract sensitive information without immediately causing an alarm.


Ties to Ransomware and Other APT Groups

OilRig's operations closely relate to another Iranian threat group known as FOX Kitten, which is particularly infamous for ransomware campaigns. These connections suggest a broader strategy by Iranian hacking groups in targeting and disrupting key industries, with a specific focus on the energy sector. According to Trend Micro, most of OilRig's targets fall in the energy sector; disruption in such industries could have ripple effects at regional and global levels. This sector is also important, and any extended interference could seriously affect daily life because energy supply lines take such a large part of this region's infrastructure.


Vulnerability Not Yet Flagged By CISA

Shockingly though there is a belief that this flaw is already being exploited, the United States Cybersecurity and Infrastructure Security Agency (CISA) has yet to include CVE-2024-30088 in the Known Exploited Vulnerabilities catalogue. Therefore, for organisations to decide and focus on patching the exploited vulnerabilities used by hackers, this catalogue becomes highly important. Its absence on the list means that there still exists an increased need for a general awareness of the threat and hence affected organisations need to patch up their systems actively.

Among the many malware campaigns that have lately been in view targeting the Middle East, OilRig seemed to reflect the rising complexity and frequency of cyber attacks. In fact, energy sector organisations need to be highly aware of such sophisticated attacks. Ultimately, the case of exploitation involving CVE-2024-30088 would reflect critical and constant risks given by state-sponsored cyber criminals. Meanwhile, it emphasises the advisability of timely software updates and the need for strong cybersecurity measures against unauthorised access and data theft.

In that respect, there is a call for protection of the information systems companies have from these advanced threats from corporate and individual entities. In this respect, OilRig can be prevented through great proactive steps and awareness in preventing these powerful cyberattacks from taking their worse course of follow-up actions.


Threat Actors Install Backdoor via Fake Palo Alto GlobalProtect Lure

 

Malware disguising itself as the authentic Palo Alto GlobalProtect Tool is employed by malicious actors to target Middle Eastern firms. This malware can steal data and run remote PowerShell commands to further penetrate company networks. A reliable security solution from Palo Alto Networks that supports multi-factor authentication and offers secure VPN access is called Palo Alto GlobalProtect. 

The tool is frequently used by businesses to guarantee that partners, contractors, and distant workers may securely access private network resources. By utilising Palo Alto GlobalProtect as bait, it is evident that attackers target high-value business entities that use enterprise software, as opposed to random users.

Trend Micro researchers have not been able to figure out how the malware is delivered, but based on the bait employed, they believe the attack begins with a phishing email. It checks for indicators of running in a sandbox before executing its main code. Then it sends profile information about the compromised system to the command and control (C2) server. 

As an additional evasion layer, the malware encrypts the strings and data packets that will be exfiltrated to the C2. The C2 IP detected by Trend Micro used a newly registered URL containing the "sharjahconnect" string, making it appear to be a legal VPN connection portal for Sharjah-based offices in the United Arab Emirates. Given the campaign's targeting scope, this choice allows the threat actors to blend in with normal operations while minimising warning signs that could raise the victim's suspicion. 

Using the Interactsh open-source tool, beacons are sent out at regular intervals to communicate the malware status with threat actors during the post-infection phase. While Interactsh is a legal open-source tool employed by pentesters, its linked domain, oast.fun, has already been spotted in APT-level operations, such as the APT28 campaigns. However, no attribution was provided in this operation involving the Palo Alto product lure. 

The following commands were received from the command and control server: 

  • time to reset: Stops malware operations for a specified duration. 
  • pw: Implements a PowerShell script and sends the result to the hacker's server.
  • pr wtime: Reads or writes a wait time to a file. 
  • pr create-process: Starts a new process and returns the output.
  • pr dnld: Downloads a file from a specified URL. 
  • pr upl: Uploads a file to a remote server. 
  • invalid command type: Returns this message if an unrecognized or erroneous command is encountered.

Trend Micro reports that, while the attackers are unknown, the operation looks to be highly targeted, with unique URLs for the targeted companies and newly established C2 domains to avoid blocklists.

China-Backed Earth Baku Broadens Cyber Assaults to Europe, Middle East, and Africa

 

The China-backed threat actor Earth Baku has diversified its targeting footprint beyond the Indo-Pacific region to include Europe, the Middle East, and Africa starting in late 2022. Newly targeted countries include Italy, Germany, the U.A.E., and Qatar, with suspected attacks also detected in Georgia and Romania. Governments, media and communications, telecoms, technology, healthcare, and education sectors are among those singled out as part of the intrusion set.

Trend Micro researchers Ted Lee and Theo Chen, in an analysis published last week, noted that Earth Baku has updated its tools, tactics, and procedures (TTPs) in more recent campaigns. The group utilizes public-facing applications such as IIS servers as entry points for attacks, subsequently deploying sophisticated malware toolsets on the victim's environment. The findings build upon recent reports from Zscaler and Google-owned Mandiant, which also detailed the threat actor's use of malware families like DodgeBox (aka DUSTPAN) and MoonWalk (aka DUSTTRAP). Trend Micro has assigned them the monikers StealthReacher and SneakCross.

Earth Baku, a threat actor associated with APT41, has been known for its use of StealthVector as far back as October 2020. Their attack chains involve the exploitation of public-facing applications to drop the Godzilla web shell, which is then used to deliver follow-on payloads. StealthReacher has been classified as an enhanced version of the StealthVector backdoor loader, responsible for launching SneakCross, a modular implant and a likely successor to ScrambleCross that leverages Google services for its command-and-control (C2) communication.

The attacks are further characterized by the use of other post-exploitation tools such as iox, Rakshasa, and a Virtual Private Network (VPN) service known as Tailscale. Sensitive data exfiltration to the MEGA cloud storage service is accomplished by means of a command-line utility dubbed MEGAcmd. "The group has employed new loaders such as StealthVector and StealthReacher to stealthily launch backdoor components, and added SneakCross as their latest modular backdoor," the researchers stated.

"The persistence of Earth Baku is notable," said the researchers. "Their tactics show a sophisticated understanding of public-facing applications, allowing them to infiltrate various sectors with precision." They further explained that the group's post-exploitation tools are customized to fit specific operational needs, with iox and Rakshasa playing significant roles in maintaining prolonged access and stealth. Tailscale, the VPN service, ensures the attackers can manage their operations without detection, while MEGAcmd allows for efficient data exfiltration.

The continued evolution of Earth Baku's methods, including the introduction of new malware like SneakCross, highlights the growing complexity and threat posed by this actor. The group’s ability to adapt and refine their TTPs makes them a formidable adversary in the cyber landscape.

Dubai Customs Introduces Blockchain Platform to Streamline Commerce

 

Dubai Customs has recently unveiled a new blockchain platform aimed at streamlining commercial activities in the region, reinforcing its status as a technology-forward market. This initiative seeks to address and overcome obstacles hindering entrepreneurship in Dubai by leveraging blockchain technology to enhance transparency and facilitate secure data sharing. 

The newly introduced platform promises to offer secure and cost-effective solutions along with technology-driven logistics initiatives. Sultan Ahmed bin Sulayem, Chairman of Dubai’s Ports, Customs, and Free Zone Corporation, described the platform as a significant advancement in improving business and commercial operations in Dubai. “We are confident that the adoption of modern technologies such as blockchain will greatly contribute to enhancing the business environment and solidifying Dubai’s position as a key global trade hub,” Sulayem stated. 

Blockchain technology, or distributed ledger technology, distributes data across multiple nodes, thus avoiding centralization on a single server as seen in traditional systems. This feature significantly enhances security by making it difficult for malicious actors to infiltrate the network. Additionally, any information stored on blockchain networks is immutable, promoting transparency in business operations. 

Dubai officials are also keen on utilizing other blockchain features such as live tracking of goods and preventing fraud and counterfeiting. This is not the first time Dubai has explored blockchain technology. In May, a plan was revealed to position the region as one of the top ten economies proficient in metaverse technology. In a previous effort, Dubai collaborated with the Solana Foundation to establish a blockchain framework for its free economic zone, the Dubai Multi Commodities Centre (DMCC), in October 2023. This collaboration aimed to assist businesses in expanding their operations by leveraging blockchain technology. 

The new platform by Dubai Customs is expected to revolutionize the way businesses operate in the region, providing a more secure, transparent, and efficient environment for commercial activities. As Dubai continues to integrate cutting-edge technologies, it strengthens its position as a leading global trade hub and a beacon of innovation in the Middle East.

UAE Takes Measures to Strengthen Cybersecurity in the META Region

 



The United Arab Emirates (UAE) is emerging as a beacon of innovation and technological advancement in the Middle East, and its commitment to cybersecurity is a vital element in shaping its hyper-connected future. As the UAE's digital footprint expands, so too does the potential for cyberattacks that could disrupt critical infrastructure and compromise sensitive data.

Recent statistics reveal a concerning increase in the UAE's vulnerability to cyber threats, including ransomware and DDoS attacks. In a joint report by the UAE government and CPX security, it was found that nearly 155,000 vulnerable points exist within the UAE, with Dubai being the most concentrated area. Insider attacks, where individuals within organizations misuse their access to steal data, are also a growing concern as the country embraces cloud computing and artificial intelligence.

The financial implications of data breaches in the Middle East have also surged, with the region ranking second only to the US in terms of breach costs. The average cost of a data breach in the Middle East exceeded $8 million in 2023, highlighting the urgent need for robust cybersecurity measures. However, a critical gap remains, as nearly a quarter of oil and gas companies and government entities in the region lack dedicated cybersecurity teams.


The UAE is actively addressing these challenges through a multi-pronged approach to enhance its cybersecurity shield. Here are the top cybersecurity trends shaping the UAE's digital landscape in 2024:

1. Advanced Threat Detection: The UAE recognizes the limitations of traditional security methods and is investing in advanced threat detection systems powered by artificial intelligence (AI), machine learning (ML), and behavioural analytics. This approach enables real-time identification and response to sophisticated cyber threats.

2. Public-Private Partnerships (PPPs) for Enhanced Security: The UAE is forging partnerships between the government and private sector to create a united front against cyber threats. Collaborations with organisations like the UN's ITU and leading cybersecurity firms demonstrate a commitment to sharing expertise and resources.

3. Cloud Security on the Rise: With the increasing reliance on cloud storage and processing, the UAE is experiencing a surge in cloud security solutions. This growth is driven by investments from cloud service providers, proactive government measures, and the need for enhanced protection against cyberattacks.

4. Cybersecurity Education and Training: The UAE is investing in cybersecurity education and training programs to equip professionals with the necessary skills to combat cyber threats. From specialised courses in universities to workshops for businesses, there is a concerted effort to build a strong cybersecurity workforce in the country.

5. Zero Trust Security Model Gaining Traction: The adoption of the zero-trust security model is growing in the UAE as businesses move away from traditional network perimeters. This model constantly verifies users and devices before granting access to resources, offering enhanced security in a more open, cloud-based environment.

6. Regulatory Compliance: The UAE has implemented stringent cybersecurity regulations to safeguard critical infrastructure and sensitive data. Adhering to these regulations is mandatory for organisations operating in the country, ensuring a baseline level of cybersecurity.

7. Quantum Cryptography: The UAE is investing in the research and development of quantum cryptography technologies to protect against future cyber threats posed by quantum computers. This cutting-edge approach leverages the principles of quantum mechanics to secure communications.

8. Focus on Critical Infrastructure Protection: Protecting critical infrastructure is a top priority in the META region, with specific measures being implemented to safeguard sectors such as energy, transportation, and healthcare systems. These measures are essential for maintaining national security and ensuring the continuity of essential services.

9. Growth of Cybersecurity Startups and Innovations: The META region is witnessing a surge in cybersecurity startups that are developing tailored solutions to address regional needs. Initiatives like Dubai's Innovation Hub and Saudi Arabia's cybersecurity accelerators are nurturing a conducive environment for these startups to thrive.

10. Cyber Threat Intelligence Sharing: Sharing cyber threat intelligence is increasingly important in the META region. Governments and organisations are establishing platforms for real-time sharing of threat information, enhancing collective cybersecurity defence.

As the UAE continues to advance in AI, PPPs, and cloud security, the question remains whether these advancements will stay ahead of the ever-evolving tactics of cybercriminals. The future of cybersecurity depends on the UAE's ability to adopt cutting-edge solutions and anticipate and adapt to the next wave of threats. 


Cyberattackers Employ Elusive "CR4T" Backdoor to Target Middle Eastern Governments

 

A recent revelation by Russian cybersecurity firm Kaspersky sheds light on a covert cyber campaign dubbed DuneQuixote, which has been clandestinely targeting government bodies in the Middle East. This campaign involves the deployment of a newly identified backdoor called CR4T.

Kaspersky's investigation, initiated in February 2024, suggests that the operation might have been underway for at least a year prior. The perpetrators have taken sophisticated measures to evade detection, employing intricate methods to shield their implants from scrutiny and analysis.

The attack commences with a dropper, available in two versions: a standard executable or a DLL file, and a manipulated installer for a legitimate software tool called Total Commander. Regardless of the variant, the dropper's main task is to extract a concealed command-and-control (C2) address, utilizing a unique decryption technique to obfuscate the server's location and thwart automated malware analysis tools.

The decryption process involves combining the dropper's filename with snippets of Spanish poetry embedded in its code, followed by calculating an MD5 hash to decode the C2 server address. Upon successful decryption, the dropper establishes connections with the C2 server and fetches a subsequent payload, employing a hardcoded ID as the User-Agent string in HTTP requests.

Kaspersky notes that the payload remains inaccessible unless the correct user agent is provided, indicating a deliberate effort to restrict access. Additionally, the payload may only be downloaded once per victim or for a limited time following the malware's release.

Meanwhile, the trojanized Total Commander installer exhibits some variations while retaining the core functionality of the original dropper. It omits the Spanish poem strings and incorporates additional anti-analysis checks to detect debugging or monitoring tools, monitor cursor activity, check system RAM and disk capacity, among other measures.

CR4T, the central component of the campaign, is a memory-only implant written in C/C++, facilitating command-line execution, file operations, and data transfers between the infected system and the C2 server. Kaspersky also identified a Golang version of CR4T with similar capabilities, including executing arbitrary commands and creating scheduled tasks using the Go-ole library. The Golang variant employs COM objects hijacking for persistence and utilizes the Telegram API for C2 communication, indicating a cross-platform approach by the threat actors.

The presence of the Golang variant underscores the threat actors' ongoing efforts to refine their techniques and develop more resilient malware. Kaspersky emphasizes that the DuneQuixote campaign poses a significant threat to entities in the Middle East, showcasing advanced evasion tactics and persistence mechanisms through the use of memory-only implants and disguised droppers masquerading as legitimate software.

Israel's Intelligence Failure: Balancing Technology and Cybersecurity Challenges

On October 7, in a startling turn of events, Hamas carried out a planned invasion that escaped Israeli military detection, posing a serious intelligence failure risk to Israel. The event brought to light Israel's vulnerabilities in its cybersecurity infrastructure as well as its over-reliance on technology for intelligence gathering.

The reliance on technology has been a cornerstone of Israel's intelligence operations, but as highlighted in reports from Al Jazeera, the very dependence might have been a contributing factor to the October 7 intelligence breakdown. The use of advanced surveillance systems, drones, and other tech-based solutions, while offering sophisticated capabilities, also poses inherent risks.

Experts suggest that an excessive focus on technological solutions might lead to a neglect of traditional intelligence methods. As Dr. Yasmine Farouk from the Middle East Institute points out, "In the pursuit of cutting-edge technology, there's a danger of neglecting the human intelligence element, which is often more adaptive and insightful."

The NPR investigation emphasizes that cybersecurity played a pivotal role in the intelligence failure. The attackers exploited vulnerabilities in Israel's cyber defenses, allowing them to operate discreetly and avoid detection. The report quotes cybersecurity analyst Rachel Levy, who states, "The attackers used sophisticated methods to manipulate data and deceive the surveillance systems, exposing a critical weakness in Israel's cyber infrastructure."

The incident underscored the need for a comprehensive reassessment of intelligence strategies, incorporating a balanced approach that combines cutting-edge technology with robust cybersecurity measures.

Israel is reassessing its dependence on tech-centric solutions in the wake of the intelligence disaster. Speaking about the need for a thorough assessment, Prime Minister Benjamin Netanyahu said, "We must learn from this incident and recalibrate our intelligence apparatus to address the evolving challenges, especially in the realm of cybersecurity."

The October 7 intelligence failure is a sobering reminder that an all-encompassing and flexible approach to intelligence is essential in this age of lightning-fast technological innovation. Finding the ideal balance between technology and human intelligence, along with strong cybersecurity measures, becomes crucial as governments struggle with changing security threats. This will help to avoid similar mistakes in the future.



The Menace of GPS Spoofing in Aviation

GPS spoofing has been an extraordinary difficulty for the aviation industry in recent years. A threat that looked like it would only exist in the future is now a grim reality, with malicious GPS signal tampering causing flights worldwide to be misdirected.

GPS spoofing is a phenomenon in which phony signals are transmitted to trick GPS receivers into displaying false information about the position and trajectory of the aircraft. This not only presents a serious concern about the security of air travel, but it also calls into question the resilience of our technologically advanced and globally interconnected society.

Numerous reports demonstrate the growing frequency of GPS spoofing instances, reported from India to the Middle East. India's Directorate General of Civil Aviation (DGCA) has revealed some startling information. It is an urgent advisory that airlines should follow to strengthen safety measures against signal spoofing.

The impact of GPS spoofing on aviation is far-reaching, reports shed light on how flights are being led astray, with potential consequences that extend beyond mere inconvenience. The very essence of precision in air navigation, a cornerstone of modern aviation, is under threat. Pilots and air traffic controllers, relying heavily on GPS for accurate positioning and route planning, face the daunting challenge of distinguishing between authentic signals and deceptive ones.

The Times of India emphasizes the urgency for airlines to prepare standard operating procedures (SOPs) specifically addressing signal spoofing. Regulatory bodies are recognizing the need for a proactive approach to mitigate the risks associated with GPS manipulation. The article suggests that having robust protocols in place is essential to ensure the safety of air travel in the face of this emerging threat.

Reports delve into the mysterious occurrences of GPS spoofing in the skies of the Middle East, ringing alarm bells for Indian airlines. The DGCA's advisory underscores the seriousness of the situation, urging airlines to take immediate measures to safeguard their operations and passengers.

The growing danger of GPS spoofing serves as a sharp reminder of the dangers that come with our dependence on networked systems as we commemorate one year since the dawn of this technology-driven era. To keep ahead of those looking to use the digital landscape for evil, the aviation sector must quickly adapt, put in place strong countermeasures, and work with technological specialists.

GPS spoofing is becoming an increasingly serious problem, and aviation safety needs to be addressed comprehensively to keep up. It is within the industry's power to overcome these obstacles and guarantee that everyone can fly safely with increased awareness, readiness, and technical innovation.