HQ/EMEAFind out how we can help your business
OilRig, an Iranian state-sponsored advanced persistent threat group, has increased its malicious activities by using a Windows vulnerability to target various government and private companies in the Middle East.
According to reports, this group, also known as APT34, used a novel backdoor to harvest credentials from MS Exchange servers. Moreover, the group exploited the Windows CVE-2024-30088 bug to escalate their privileges on compromised devices.
The OilRig attack process can start through a vulnerable web server.
The OilRig hacking campaign begins with exploiting a vulnerable web server to upload a web shell. This process enables these threat actors to run remote code executions and PowerShell commands.
Once the group activates the web shell, it can launch various tools, such as components that abuse the Windows CVE-2024-30088 bug.
The vulnerability in question is a high-severity privilege escalation flaw that Microsoft addressed last June. The flaw’s primary issue is that it can allow attackers to elevate their privileges to the SYSTEM level and acquire control over the infected devices.
Microsoft has accepted a PoC exploit for CVE-2024-30088, but the company has yet to classify the flaw as actively exploited on its security portal.
Furthermore, OilRig registers a password filter DLL to intercept plaintext credentials during password change events. This process is followed by downloading and installing the remote monitoring and management program ‘ngrok,’ which attackers use for covert communications through secure tunnels.
However, this process is not the only method the actors use in their new campaigns since another emerging approach used by the group is to compromise on-premises Microsoft Exchange servers. This other method allows them to steal credentials and exfiltrate critical data through regular email traffic that is difficult to detect.
For its exfiltration process, the APT group uses a new backdoor known as ‘StealHook,’ which the researchers claim frequently employs government infrastructure as a pivot point to make the operation appear genuine.
The researchers believe that the actors employ this tactic to steal credentials and exfiltrate them via email attachments to an attacker-controlled server so they can use them for other activities, especially to acquire unauthorised initial access.
Organisations with flawed Windows servers should update them to their latest versions to avoid the exploit the OilRig hacking group currently abuses.
