Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Iranian Cyberspies Exploiting Recent Windows Kernel Vulnerability 

The Iran-linked APT OilRig has intensified cyber operations against the United Arab Emirates and the broader Gulf region.

Iran cyberattacks

The Iran-linked cyberespionage group OilRig has been observed intensifying cyber operations against government entities in the Gulf region, cybersecurity firm Trend Micro reports.

Also tracked as APT34, Cobalt Gypsy, Earth Simnavaz, and Helix Kitten, the advanced persistent threat (APT) actor has been active since at least 2014, targeting entities in the energy, and other critical infrastructure sectors, and pursuing objectives aligned with those of the Iranian government.

“In recent months, there has been a notable rise in cyberattacks attributed to this APT group specifically targeting government sectors in the United Arab Emirates (UAE) and the broader Gulf region,” Trend Micro says.

As part of the newly observed operations, the APT has been deploying a sophisticated new backdoor for the exfiltration of credentials through on-premises Microsoft Exchange servers.

Additionally, OilRig was seen abusing the dropped password filter policy to extract clean-text passwords, leveraging the Ngrok remote monitoring and management (RMM) tool to tunnel traffic and maintain persistence, and exploiting CVE-2024-30088, a Windows kernel elevation of privilege bug.

Microsoft patched CVE-2024-30088 in June and this appears to be the first report describing exploitation of the flaw. The tech giant’s advisory does not mention in-the-wild exploitation at the time of writing, but it does indicate that ‘exploitation is more likely’. 

“The initial point of entry for these attacks has been traced back to a web shell uploaded to a vulnerable web server. This web shell not only allows the execution of PowerShell code but also enables attackers to download and upload files from and to the server,” Trend Micro explains.

After gaining access to the network, the APT deployed Ngrok and leveraged it for lateral movement, eventually compromising the Domain Controller, and exploited CVE-2024-30088 to elevate privileges. It also registered a password filter DLL and deployed the backdoor for credential harvesting.

Advertisement. Scroll to continue reading.

The threat actor was also seen using compromised domain credentials to access the Exchange Server and exfiltrate data, the cybersecurity firm says.

“The key objective of this stage is to capture the stolen passwords and transmit them to the attackers as email attachments. Additionally, we observed that the threat actors leverage legitimate accounts with stolen passwords to route these emails through government Exchange Servers,” Trend Micro explains.

The backdoor deployed in these attacks, which shows similarities with other malware employed by the APT, would retrieve usernames and passwords from a specific file, retrieve configuration data from the Exchange mail server, and send emails to a specified target address.

“Earth Simnavaz has been known to leverage compromised organizations to conduct supply chain attacks on other government entities. We expected that the threat actor could use the stolen accounts to initiate new attacks through phishing against additional targets,” Trend Micro notes.

Related: US Agencies Warn Political Campaigns of Iranian Phishing Attacks

Related: Former British Cyberespionage Agency Employee Gets Life in Prison for Stabbing an American Spy

Related: MI6 Spy Chief Says China, Russia, Iran Top UK Threat List

Related: Iran Says Fuel System Running Again After Cyber Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.