Iranian Hackers Now Exploit Windows Flaw to Elevate Privileges
Summary:
The recent activities of Iranian state-sponsored hacking group APT34, also known as OilRig, have focused on government and critical infrastructure entities in the UAE and Gulf region. Trend Micro researchers identified a new campaign in which OilRig deployed a novel backdoor to target Microsoft Exchange servers for credential theft. The group also exploited the Windows vulnerability CVE-2024-30088, a high-severity flaw allowing attackers to escalate privileges to the system level. OilRig’s attack chain begins with exploiting vulnerable web servers, leading to the deployment of a web shell for remote code execution. Afterward, they use additional tools, including one specifically designed to exploit CVE-2024-30088. This allows them to gain system-level privileges, granting significant control over compromised devices.
Once inside the system, OilRig registers a password filter DLL to intercept plaintext credentials during password change events. They then install ‘ngrok,’ a tool for secure, stealthy communications through encrypted tunnels. A new tactic includes targeting on-premise Microsoft Exchange servers to steal credentials and exfiltrate sensitive data using legitimate email traffic to evade detection. The exfiltration process involves a backdoor named ‘StealHook,’ which captures passwords and transmits them to attackers via email attachments. Trend Micro observed that government infrastructure is often used to make the process appear legitimate, with the attackers using compromised legitimate accounts to route the emails through government Exchange servers. With the energy sector being the primary target, operational disruptions caused by these attacks could have significant regional impacts, affecting critical services and infrastructure essential to millions. The potential addition of ransomware to their attack strategies could further heighten the risks posed by OilRig in future campaigns.
Security Officer Comments:
Trend Micro also noted code similarities between StealHook and older OilRig backdoors like Karkoff, indicating that StealHook is an evolved version of previous tools rather than an entirely new creation. This highlights OilRig’s continuous refinement of its attack toolkit. Additionally, there are growing concerns about OilRig’s possible affiliation with FOX Kitten, another Iran-based APT group involved in ransomware attacks. While the exact relationship between the two groups remains unclear, the connection raises concerns that OilRig may incorporate ransomware into its operations.
Suggested Corrections:
IOCs:
https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html
Intelligence-driven incident response will be essential in effectively managing and mitigating these types of attacks. While the group’s techniques haven’t evolved drastically, implementing a Zero Trust architecture, alongside mature SOC, EDR, and MDR capabilities, can greatly enhance defensive measures against threats like that posed by Earth Simnavaz.
Link(s):
https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html
The recent activities of Iranian state-sponsored hacking group APT34, also known as OilRig, have focused on government and critical infrastructure entities in the UAE and Gulf region. Trend Micro researchers identified a new campaign in which OilRig deployed a novel backdoor to target Microsoft Exchange servers for credential theft. The group also exploited the Windows vulnerability CVE-2024-30088, a high-severity flaw allowing attackers to escalate privileges to the system level. OilRig’s attack chain begins with exploiting vulnerable web servers, leading to the deployment of a web shell for remote code execution. Afterward, they use additional tools, including one specifically designed to exploit CVE-2024-30088. This allows them to gain system-level privileges, granting significant control over compromised devices.
Once inside the system, OilRig registers a password filter DLL to intercept plaintext credentials during password change events. They then install ‘ngrok,’ a tool for secure, stealthy communications through encrypted tunnels. A new tactic includes targeting on-premise Microsoft Exchange servers to steal credentials and exfiltrate sensitive data using legitimate email traffic to evade detection. The exfiltration process involves a backdoor named ‘StealHook,’ which captures passwords and transmits them to attackers via email attachments. Trend Micro observed that government infrastructure is often used to make the process appear legitimate, with the attackers using compromised legitimate accounts to route the emails through government Exchange servers. With the energy sector being the primary target, operational disruptions caused by these attacks could have significant regional impacts, affecting critical services and infrastructure essential to millions. The potential addition of ransomware to their attack strategies could further heighten the risks posed by OilRig in future campaigns.
Security Officer Comments:
Trend Micro also noted code similarities between StealHook and older OilRig backdoors like Karkoff, indicating that StealHook is an evolved version of previous tools rather than an entirely new creation. This highlights OilRig’s continuous refinement of its attack toolkit. Additionally, there are growing concerns about OilRig’s possible affiliation with FOX Kitten, another Iran-based APT group involved in ransomware attacks. While the exact relationship between the two groups remains unclear, the connection raises concerns that OilRig may incorporate ransomware into its operations.
Suggested Corrections:
IOCs:
https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html
Intelligence-driven incident response will be essential in effectively managing and mitigating these types of attacks. While the group’s techniques haven’t evolved drastically, implementing a Zero Trust architecture, alongside mature SOC, EDR, and MDR capabilities, can greatly enhance defensive measures against threats like that posed by Earth Simnavaz.
Link(s):
https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html