EC News DeskKaspersky researchers issued 49 threat intelligence reports on investigations associated with APT groups targeting the UAE. The country has the highest number of reports coming out of all the Middle Eastern countries, making it one of the most targeted countries in the region. Kaspersky has found that these APT groups primarily target the UAE’s governmental and diplomatic institutions as well as educational organizations. Other targeted entities include financial institutions, IT companies, healthcare, law firms, military and defence. Some of the notorious APT groups investigated in the UAE are the SideCopy, MuddyWater, DeathStalker, Zeboracy, Turla and Lazarus.
The research team has found that Exploit Public facing Applications, Valid Accounts, and Phishing are the most commons attack vectors against the UAE’s infrastructures.
- SideCopy APT group carries out malware campaigns targeting entities for espionage purposes.
- MuddyWater, a Middle Eastern espionage motivated APT group targets government, telco and oil companies to derive information, using compromised accounts to send spearphishing emails with targeted attachments to recipients.
- Zeboracy is a trojan that is deployed as part of cyber espionage campaigns to collect initial data from compromised systems.
- The Turla APT Group is popular for conducting watering hole and spear phishing campaigns. They infect websites regularly visited by organizations and lure them to a malicious website.
- DeathStalker is a hacker-for-hire group and mainly focus on cyberespionage against law firms and organizations in the financial sector. The group is known for using an iterative, fast-paced approach to software design, making them able to execute effective campaigns.
- The Lazarus APT group uses the watering hole attack strategy in which they observe which websites are frequented by an organization and infects one or more of them with malware.
Kaspersky has kept a close eye on UAE for Advanced Persistent Threats and worked on 49 investigative reports related to 16 cyber gangs targeting the country since the start of the pandemic in 2020
Abdessabour Arous, Security Researcher, GReAT, Kaspersky commented: “Targeted threats are getting more and more sophisticated every day. Investigating and reporting on these groups provides us great visibility into their motives and movements. From each report, we are able to form deeper insights, and equip relevant stakeholders with knowledge they need to remain protected. Today, all organisations have a pressing need to stay informed; as this allows security teams to predict what the attacker’s next move would be and take appropriate steps to protect themselves against future incidents.”
Nouf Alqahtani, Cyber Threat Intelligence Senior Analyst at STC, said: “Company employees are known to be the first line of defense against cyberattacks and shoulder the responsibility to protect data, which is the most important asset of any organization. To strengthen this line and make it impenetrable, it is imperative that organizations give cybersecurity trainings and education an equal footing across the board within the company. Perhaps make each employee across the hierarchy compliant to learn about secure ways of operating devices, sharing data internally and externally and understand the evolving nature of cybercrime. Employees knowledgeable in cybersecurity know what red flags look like when company networks, devices and information are under threat. After employees, I believe defense is started by threat intelligence, and organizations should be driven by Threat intelligence”
Artificial Intelligence, the Internet of Things, Blockchain, Fintech, and 5G are rapidly gaining traction across the UAE’s public and private sectors. The country is poised to become a global leader in the digital economy, and increasing connectivity often correlates with an increase in targeted cyber threats. The country has geared itself up to tackle even the most challenging cybersecurity attacks by placing cybersecurity at the forefront of its digital transformation. According to the Global Cybersecurity Index, the UAE ranked second in the MENA region in its commitment towards cybersecurity. Further reaffirming the government’s dedication towards improving its cybersecurity capabilities.
Researchers at Kaspersky have released information regarding a long lasting campaign by a lesser known threat actor actively targeting organizations in the Middle East. Dubbed WIRTE, the APT group primarily targets governmental and diplomatic entities across Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey with potential infections across Gulf countries. Researchers also found victims within law firms, military and technology companies.
WIRTE’s motive is cyber espionage as they’re seen using tools to collect sensitive information from their victims. They are not technically sophisticated and rely on basic toolset and stealthy techniques such as using “Living off the Land (LotL)” binaries. This type of attack effectively allows WIRTE to use legitimate assets to achieve their motives. In some instances, the group used spear-phishing emails to lure victims into opening malicious Microsoft Excel/Word documents. The group expertly tricks victims into downloading files by using logos and trending topics from the Middle East region. Researchers are currently monitoring the campaign which has been active since at least 2019 and have reported their findings on Kaspersky’s Threat Intelligence Portal.
“We are seeing new and evolving threat actors across the Middle East as the environment dynamics change. Nevertheless, their objectives remain the same – collecting sensitive information. This re-emphasizes the curial need for governments and business entities to protect their crown jewels and sensitive data from any emerging targeted threat.” Said Maher Yamout, Senior Security Researcher at Kaspersky. “The group’s most common tactic is to initially install an interpreted language VBS (Visual Basic Script) and PowerShell-based malware. After successfully gaining initial foothold, the group starts exploring the network and deploying more complex malware in order to stealthily stay under the radar and collect sensitive information.” He added.
Kaspersky continues to track WIRTE as it continues to evolve and sharpen its toolset, the group is expected to make its way through cyberspace and continue to compromise its victims with possibly expanding to other neighboring countries. To stay safe from advanced threat campaigns like WIRTE, Kaspersky experts recommend:
- Disable interpreters for scripting languages wherever possible.
- Log PowerShell scripts executed on user machines.
- Detect unusual user-agents in network traffic
- Carry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
- Install anti-APT and EDR solutions, enabling threat discovery and detection, investigation and timely remediation of incidents capabilities.
- Provide your staff with basic cybersecurity hygiene training for phishing or other social engineering techniques
Learn more about the WIRTE APT group in the blog post at Securelist.com
