Who:
Threat Actors: APT34 (OilRig), an Iranian state-sponsored hacking group.
Targets: Government and critical infrastructure entities in the United Arab Emirates and Gulf region, especially in the energy sector.
What:
Attack Techniques: OilRig has escalated its activities with a new campaign involving:
Exploitation of Microsoft Exchange servers to steal credentials.
Exploitation of the CVE-2024-30088 Windows flaw for privilege escalation.
Use of a new backdoor called StealHook for credential theft and data exfiltration via email.
Key Tools and Exploits:
Web Shell Deployment: Attackers begin by exploiting vulnerable web servers to install web shells, allowing remote code execution.
CVE-2024-30088 Exploit: A high-severity flaw used to escalate privileges to the SYSTEM level on compromised devices.
Password Theft: Attackers register a password filter DLL to capture plaintext credentials during password change events.
StealHook Backdoor: Used to exfiltrate stolen credentials and sensitive data, sending them as email attachments to evade detection.
Impact:
Threat to Critical Infrastructure: The attacks primarily target the energy sector, posing risks of operational disruption.
Affiliation with FOX Kitten: OilRig’s potential connection with the FOX Kitten group raises concerns about ransomware attacks being added to their tactics.
Broader Threat: OilRig’s continued activity in the region and their use of advanced exploits to target high-value organizations make them a persistent and evolving threat.
Read the full article HERE