OilRig Intensifies Cyber Espionage in Gulf Region, Exploits Windows Kernel Flaw
The Iran-linked cyberespionage group OilRig (also known as APT34, Cobalt Gypsy, Earth Simnavaz, and Helix Kitten) has been ramping up its cyber operations against government entities across the Gulf region, cybersecurity firm Trend Micro reports. This advanced persistent threat (APT) group, active since at least 2014, continues to target the energy sector and other critical infrastructures in alignment with Iranian government interests.
Increased Activity Targeting Gulf Governments
In recent months, OilRig has notably increased its cyberattacks on government sectors in the United Arab Emirates (UAE) and the broader Gulf region. Trend Micro’s recent analysis highlights the deployment of a new, highly sophisticated backdoor aimed at stealing credentials from on-premises Microsoft Exchange servers.
Exploiting Windows Kernel Vulnerability CVE-2024-30088
A significant aspect of OilRig’s latest operations is the group’s exploitation of the recently patched Windows kernel vulnerability (CVE-2024-30088). Microsoft addressed this elevation-of-privilege flaw in June, but this is the first observed in-the-wild exploitation of the vulnerability. Although Microsoft flagged the flaw as one likely to be exploited, there had been no confirmed reports of active abuse until now.
Tactics and Techniques
OilRig's initial point of entry into targeted networks often involves uploading a web shell to a vulnerable server, allowing attackers to execute PowerShell commands and upload or download files. After gaining access, the group deploys the Ngrok remote monitoring and management tool to establish persistence and facilitate lateral movement across the network. They then escalate privileges by exploiting CVE-2024-30088 to compromise the Domain Controller.
Once inside, OilRig registers a password filter DLL, extracts clean-text passwords, and uses compromised credentials to access Exchange Servers. Data is exfiltrated by sending stolen credentials via email to attackers, leveraging legitimate government accounts to mask the malicious activity.
Supply Chain Threats Looming
Trend Micro’s findings suggest that OilRig may also leverage compromised accounts for supply chain attacks on additional government entities. The group's previous operations indicate a propensity to use one compromised organization as a stepping stone to infiltrate others, potentially launching phishing campaigns against new targets using the stolen credentials.
This heightened level of activity, combined with OilRig's exploitation of the latest Windows vulnerabilities and advanced credential theft tactics, underscores the increasing threat to Gulf governments and critical infrastructure. The group’s ability to maintain persistence and exploit network vulnerabilities makes it a significant threat in the region’s cybersecurity landscape.
Source: https://thehackernews.com
No comments:
Post a Comment