Iranian Threat Actor OilRig Exploits Windows Kernel Flaw in UAE Cyber Espionage Campaign
OilRig Exploits Windows Kernel Flaw in UAE Cyber Espionage
The Iranian cyber espionage group known as OilRig (also called APT34 or Earth Simnavaz) has been observed exploiting a privilege escalation flaw (CVE-2024-30088) in the Windows Kernel as part of an attack campaign targeting the United Arab Emirates (U.A.E.) and other Gulf nations. The flaw, patched by Microsoft in June 2024, allows attackers to gain SYSTEM privileges by exploiting a race condition.
Targeting Microsoft Exchange for Credential Theft
OilRig’s recent attacks deploy a previously undocumented backdoor, STEALHOOK, which targets Microsoft Exchange servers to exfiltrate credentials. This tactic, along with exploiting vulnerabilities like CVE-2024-30088, is being used to gain unauthorized access and maintain persistence on compromised networks. OilRig has consistently used similar methods in past attacks, demonstrating their expertise in cyber espionage and network exploitation.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
The STEALHOOK Backdoor and Privilege Escalation Tactics
After initial access—gained by exploiting vulnerable web servers—OilRig deploys the STEALHOOK backdoor to steal credentials and send them via Exchange servers to attacker-controlled email addresses. The group leverages ngrok, a remote management tool, to facilitate persistence and lateral movement within targeted networks. Privilege escalation is achieved by dropping psgfilter.dll, a password filter policy DLL, to extract plaintext credentials from domain controllers and local machines.
Repeated Use of psgfilter.dll for Credential Theft
This technique of using psgfilter.dll was first observed in December 2022 during a separate campaign in the Middle East. OilRig continues to leverage this tool for plaintext password extraction and remote deployment, further solidifying their foothold in targeted networks. The threat actors encrypt the stolen credentials before transmitting them over networks to evade detection.
Trending: OSINT Tool: cloud_enum
Geopolitical Focus and Long-Term Persistence
OilRig, also known by aliases like Cobalt Gypsy and Helix Kitten, is heavily focused on exploiting key infrastructure in geopolitically sensitive regions. Their goal is to establish persistent footholds in compromised entities, enabling future attacks on additional targets. Their recent activity highlights a strategic emphasis on abusing vulnerabilities in critical infrastructure within the Gulf region.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com