The Growing Shadow of Undetected Cyber Attacks in the Middle East

Businesses in the Middle East targeted by cyberattacks

Over the past few years, businesses in the Middle East have been facing a series of targeted cyberattacks using advanced techniques. Researchers at Fortinet have discovered an open source tool dubbed “Donut” and a variant of the Wintapix driver which have been used to carry out these attacks on Saudi Arabia and other Middle East nations. These tools have been active since at least mid-2020 and were used in several campaigns over the past few years. Specifically, “Donut” generates x86 or x64 shellcode payloads from .NET Assemblies, which can be injected into an arbitrary Windows process for an in-memory execution. In this attack, Wintapix is loaded into the kernel, where an embedded shellcode is injected into a suitable process local system privilege, and then loads and executes an encrypted .NET payload.

Targets and Threat Actors

The cyberattacks seem to be targeting specific organizations, although the researchers do not give any details about them. However, Fortinet’s telemetry reveals that Saudi Arabia has been the primary target, accounting for 65% of the lookups for the driver. The threat actor behind these attacks is still unknown, but the report points to Iranian threat actors who have been exploiting Microsoft Exchange servers to deploy additional malware in the past. It is unclear which organizations were targeted and what the attackers were looking for.

Detection and Living-off-the-land approach

The campaign has been active for several years, and it is unclear how long it went undetected. Ciarán Walsh, an associate research engineer at Tenable, notes that depending on the nature of the attack and the sophistication of the threat actor, a campaign could go undetected for an extended period. Living-off-the-land approach is an emerging technique where attackers use tools already present in the victim’s network to remain undetected and carry out multiple attacks without being detected. The attackers instead use tools built into operating systems, which are less likely to trigger an alert, or even be deemed suspicious.

Advice to Businesses

Businesses in the Middle East and organizations that operate in the region should be aware of the potential risk and undertake measures to strengthen their cybersecurity defenses. As open source tools are more likely to be detected, it is essential to use a multi-layered approach that includes customized countermeasures and remediation techniques. Organizations should also conduct regular vulnerability assessments and invest in threat intelligence programs. Furthermore, it is advisable to keep all systems and software up-to-date and patched, as vulnerabilities in third-party software and applications can also be exploited by attackers. Finally, it is essential to have an incident response plan in place in case of any cyberattacks.

The Bottomline

These attacks in the Middle East underscore the increasing sophistication of threat actors and the evolving nature of cyberattacks. Organizations should remain vigilant and take a proactive approach to secure their systems and networks. As the threat landscape continues to evolve, businesses need to invest in cybersecurity measures to protect their assets and customers from potential cyber threats.