Ethical Hacking News
OilRig, an Iranian threat actor, has been observed exploiting a now-patched privilege escalation flaw impacting the Windows Kernel as part of a sophisticated cyber espionage campaign targeting the U.A.E. and the broader Gulf region. According to Trend Micro researchers, the group uses advanced tactics including deploying a backdoor that leverages Microsoft Exchange servers for credentials theft, and exploiting vulnerabilities like CVE-2024-30088 for privilege escalation.
OilRig, an Iranian threat actor, has exploited a now-patched privilege escalation flaw in Windows Kernel as part of a sophisticated cyber espionage campaign targeting the U.A.E. and the broader Gulf region.The group uses advanced tactics, including deploying backdoors on Microsoft Exchange servers for credentials theft and exploiting vulnerabilities like CVE-2024-30088 for privilege escalation.OilRig has been tracked under several monikers, including Earth Simnavaz, APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm, and Helix Kitten.The attack chains involve deploying a previously undocumented implant that exfiltrates credentials through on-premises Microsoft Exchange servers.The group abuses elevated privileges to extract sensitive credentials from domain users via domain controllers or local accounts on local machines.The use of psgfilter.dll highlights the importance of keeping software up-to-date and implementing robust security measures to protect against such threats.
The world of cybersecurity has witnessed numerous breaches and attacks in recent times, leaving many organizations scrambling to patch vulnerabilities and protect themselves from cyber threats. In a latest development that has sent shockwaves throughout the industry, Iranian threat actor OilRig has been observed exploiting a now-patched privilege escalation flaw impacting the Windows Kernel as part of a sophisticated cyber espionage campaign targeting the U.A.E. and the broader Gulf region.
According to Trend Micro researchers Mohamed Fahmy, Bahaa Yamany, Ahmed Kamal, and Nick Dai, the group utilizes advanced tactics that include deploying a backdoor that leverages Microsoft Exchange servers for credentials theft, and exploiting vulnerabilities like CVE-2024-30088 for privilege escalation. This is not an isolated incident, as OilRig has been tracked under the moniker Earth Simnavaz, which is also referred to as APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten.
The attack chains entail the deployment of a previously undocumented implant that comes with capabilities to exfiltrate credentials through on-premises Microsoft Exchange servers, a tried-and-tested tactic adopted by the adversary in the past, while also incorporating recently disclosed vulnerabilities to its exploit arsenal. CVE-2024-30088, patched by Microsoft in June 2024, concerns a case of privilege escalation in the Windows kernel that could be exploited to gain SYSTEM privileges, assuming the attackers can win a race condition.
Initial access to target networks is facilitated by means of infiltrating a vulnerable web server to drop a web shell, followed by dropping the ngrok remote management tool to maintain persistence and move to other endpoints in the network. The privilege escalation vulnerability subsequently serves as a conduit to deliver the backdoor, codenamed STEALHOOK, responsible for transmitting harvested data via the Exchange server to an email address controlled by the attacker in the form of attachments.
A notable technique employed by OilRig in the latest set of attacks involves the abuse of the elevated privileges to drop the password filter policy DLL (psgfilter.dll) in order to extract sensitive credentials from domain users via domain controllers or local accounts on local machines. The malicious actor took great care in working with the plaintext passwords while implementing the password filter export functions. The threat actor also utilized plaintext passwords to gain access and deploy tools remotely. The plaintext passwords were first encrypted before being exfiltrated when sent over networks.
The researchers noted that the use of psgfilter.dll was observed back in December 2022 in a connection with a campaign targeting organizations in the Middle East using another backdoor dubbed MrPerfectionManager. "Their recent activity suggests that Earth Simnavaz is focused on abusing vulnerabilities in key infrastructure of geopolitically sensitive regions," the researchers noted. "They also seek to establish a persistent foothold in compromised entities, so these can be weaponized to launch attacks on additional targets."
The discovery of this new attack vector highlights the importance of keeping software up-to-date and implementing robust security measures to protect against such threats. As the threat landscape continues to evolve, it is essential for organizations to stay vigilant and proactive in their cybersecurity efforts.
In conclusion, OilRig's exploitation of the Windows Kernel flaw has exposed vulnerabilities that were previously unknown to researchers. The use of sophisticated tactics by this group serves as a reminder of the ever-evolving nature of cyber threats and the importance of staying informed about new vulnerabilities and attack vectors.
Related Information:
https://thehackernews.com/2024/10/oilrig-exploits-windows-kernel-flaw-in.html
https://nvd.nist.gov/vuln/detail/CVE-2024-30088
https://www.cvedetails.com/cve/CVE-2024-30088/
https://en.wikipedia.org/wiki/Helix_Kitten
https://www.microsoft.com/en-us/security/security-insider/hazel-sandstorm
https://attack.mitre.org/groups/G0049/
https://thehackernews.com/2023/09/iranian-apt-group-oilrig-using-new.html
Published: Sun Oct 13 06:47:44 2024 by llama3.2 3B Q4_K_M
