Ethical Hacking News
Iranian hackers are exploiting a previously unknown Windows flaw to gain elevated privileges on compromised devices, highlighting the ongoing threat of state-sponsored hacking groups in the region. As OilRig's attack chain reveals, this vulnerability allows attackers to escalate their privileges to the SYSTEM level, granting them significant control over compromised devices. Understanding this exploit is crucial for organizations worldwide to prioritize patching and vulnerability management.
Iranian hackers affiliated with APT34 (OilRig) have escalated their activities targeting government and critical infrastructure entities in the UAE and Gulf region. The attackers deployed a novel backdoor on Microsoft Exchange servers to steal credentials and exploited the Windows CVE-2024-30088 flaw to elevate privileges. A vulnerability management timeline is crucial, as acknowledged by Microsoft for CVE-2024-30088 but not yet marked as actively exploited. Attackers registered a password filter DLL to intercept plaintext credentials and used 'ngrok' for stealthy communications through secure tunnels. The latest backdoor, StealHook, facilitates the capture of stolen passwords and transmits them as email attachments. Code similarities between StealHook and past OilRig backdoors suggest an evolutionary step rather than a new creation. The association with FOX Kitten raises concerns about potential ransomware addition to their attack arsenal, posing severe consequences for the energy sector.
Iranian hackers, affiliated with the state-sponsored hacking group APT34, aka OilRig, have recently escalated their activities by targeting government and critical infrastructure entities in the United Arab Emirates and the Gulf region. The attacks, spotted by Trend Micro researchers, involve the deployment of a novel backdoor on Microsoft Exchange servers to steal credentials, as well as the exploitation of the Windows CVE-2024-30088 flaw to elevate their privileges on compromised devices.
The latest attack chain, revealed by Trend Micro, begins with the exploitation of a vulnerable web server to upload a web shell, giving the attackers the ability to execute remote code and PowerShell commands. Once the web shell is active, OilRig leverages it to deploy additional tools, including a component designed to exploit the Windows CVE-2024-30088 flaw. This vulnerability, identified by Microsoft in June 2024, enables attackers to escalate their privileges to the SYSTEM level, granting them significant control over compromised devices.
The fact that Microsoft has acknowledged a proof-of-concept exploit for CVE-2024-30088 but has not yet marked the flaw as actively exploited on its security portal highlights the evolving nature of cybersecurity threats. Moreover, CISA has also not reported it as previously exploited in their Known Exploited Vulnerability catalog, underscoring the importance of timely patching and vulnerability management.
The attackers' tactics, as revealed by Trend Micro, involve registering a password filter DLL to intercept plaintext credentials during password change events and then downloading and installing the remote monitoring and management tool 'ngrok,' used for stealthy communications through secure tunnels. Additionally, OilRig has been observed exploiting on-premise Microsoft Exchange servers to steal credentials and exfiltrate sensitive data via legitimate email traffic that is hard to detect.
The latest backdoor, named 'StealHook,' facilitates the capture of stolen passwords and transmits them to the attackers as email attachments. Trend Micro notes that government infrastructure often serves as a pivot point for making the process appear legitimate, with the threat actors leveraging legitimate accounts with stolen passwords to route these emails through government Exchange servers.
Notably, there are code similarities between StealHook and backdoors used by OilRig in past campaigns, such as Karkoff. This suggests that the latest malware appears to be an evolutionary step rather than a novel creation from scratch. Furthermore, this is not the first time OilRig has utilized Microsoft Exchange servers as an active component of their attacks. Almost a year ago, Symantec reported that APT34 installed a PowerShell backdoor dubbed 'PowerExchange' on on-premise Exchange servers capable of receiving and executing commands via email.
The association between OilRig and FOX Kitten, another Iran-based APT group involved in ransomware attacks, is still unclear but raises concerns about the potential addition of ransomware to their attack arsenal. Given that most of the targeted entities are in the energy sector, operational disruptions in these organizations could have severe consequences for many people.
In light of this ongoing threat landscape, it is essential for organizations worldwide to prioritize vulnerability management and patching of critical software vulnerabilities. Regular monitoring and incident response planning will also help mitigate the impact of such attacks.
Related Information:
https://www.bleepingcomputer.com/news/security/oilrig-hackers-now-exploit-windows-flaw-to-elevate-privileges/
https://nvd.nist.gov/vuln/detail/CVE-2024-30088
https://www.cvedetails.com/cve/CVE-2024-30088/
https://attack.mitre.org/groups/G0117/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
Published: Sun Oct 13 11:52:19 2024 by llama3.2 3B Q4_K_M
