icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

Iranian Hackers Now Exploit Windows Flaw to Elevate Privileges

Summary:
The recent activities of Iranian state-sponsored hacking group APT34, also known as OilRig, have focused on government and critical infrastructure entities in the UAE and Gulf region. Trend Micro researchers identified a new campaign in which OilRig deployed a novel backdoor to target Microsoft Exchange servers for credential theft. The group also exploited the Windows vulnerability CVE-2024-30088, a high-severity flaw allowing attackers to escalate privileges to the system level. OilRig’s attack chain begins with exploiting vulnerable web servers, leading to the deployment of a web shell for remote code execution. Afterward, they use additional tools, including one specifically designed to exploit CVE-2024-30088. This allows them to gain system-level privileges, granting significant control over compromised devices.

Once inside the system, OilRig registers a password filter DLL to intercept plaintext credentials during password change events. They then install ‘ngrok,’ a tool for secure, stealthy communications through encrypted tunnels. A new tactic includes targeting on-premise Microsoft Exchange servers to steal credentials and exfiltrate sensitive data using legitimate email traffic to evade detection. The exfiltration process involves a backdoor named ‘StealHook,’ which captures passwords and transmits them to attackers via email attachments. Trend Micro observed that government infrastructure is often used to make the process appear legitimate, with the attackers using compromised legitimate accounts to route the emails through government Exchange servers. With the energy sector being the primary target, operational disruptions caused by these attacks could have significant regional impacts, affecting critical services and infrastructure essential to millions. The potential addition of ransomware to their attack strategies could further heighten the risks posed by OilRig in future campaigns.

Security Officer Comments:
Trend Micro also noted code similarities between StealHook and older OilRig backdoors like Karkoff, indicating that StealHook is an evolved version of previous tools rather than an entirely new creation. This highlights OilRig’s continuous refinement of its attack toolkit. Additionally, there are growing concerns about OilRig’s possible affiliation with FOX Kitten, another Iran-based APT group involved in ransomware attacks. While the exact relationship between the two groups remains unclear, the connection raises concerns that OilRig may incorporate ransomware into its operations.

Suggested Corrections:

IOCs:
https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html

Intelligence-driven incident response will be essential in effectively managing and mitigating these types of attacks. While the group’s techniques haven’t evolved drastically, implementing a Zero Trust architecture, alongside mature SOC, EDR, and MDR capabilities, can greatly enhance defensive measures against threats like that posed by Earth Simnavaz.

Link(s):
https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html

Contact Us for Threat Assistance
Back to Current Threats