Iranian Threat Actor OilRig Exploits Windows Kernel Flaw in UAE Cyber Espionage Campaign

by | Oct 14, 2024 | News




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

OilRig Exploits Windows Kernel Flaw in UAE Cyber Espionage

The Iranian cyber espionage group known as OilRig (also called APT34 or Earth Simnavaz) has been observed exploiting a privilege escalation flaw (CVE-2024-30088) in the Windows Kernel as part of an attack campaign targeting the United Arab Emirates (U.A.E.) and other Gulf nations. The flaw, patched by Microsoft in June 2024, allows attackers to gain SYSTEM privileges by exploiting a race condition.

Targeting Microsoft Exchange for Credential Theft

OilRig’s recent attacks deploy a previously undocumented backdoor, STEALHOOK, which targets Microsoft Exchange servers to exfiltrate credentials. This tactic, along with exploiting vulnerabilities like CVE-2024-30088, is being used to gain unauthorized access and maintain persistence on compromised networks. OilRig has consistently used similar methods in past attacks, demonstrating their expertise in cyber espionage and network exploitation.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

The STEALHOOK Backdoor and Privilege Escalation Tactics

After initial access—gained by exploiting vulnerable web servers—OilRig deploys the STEALHOOK backdoor to steal credentials and send them via Exchange servers to attacker-controlled email addresses. The group leverages ngrok, a remote management tool, to facilitate persistence and lateral movement within targeted networks. Privilege escalation is achieved by dropping psgfilter.dll, a password filter policy DLL, to extract plaintext credentials from domain controllers and local machines.

Figure 1. Attack chain

Figure 1. Attack chain – Trendmicro

Repeated Use of psgfilter.dll for Credential Theft

This technique of using psgfilter.dll was first observed in December 2022 during a separate campaign in the Middle East. OilRig continues to leverage this tool for plaintext password extraction and remote deployment, further solidifying their foothold in targeted networks. The threat actors encrypt the stolen credentials before transmitting them over networks to evade detection.




Geopolitical Focus and Long-Term Persistence

OilRig, also known by aliases like Cobalt Gypsy and Helix Kitten, is heavily focused on exploiting key infrastructure in geopolitically sensitive regions. Their goal is to establish persistent footholds in compromised entities, enabling future attacks on additional targets. Their recent activity highlights a strategic emphasis on abusing vulnerabilities in critical infrastructure within the Gulf region.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: thehackernews.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This