OilRig Hackers Exploiting Windows Kernel 0-day to Attack Organizations


The Iranian state-sponsored hacking group OilRig, also known as APT34, has intensified its cyber espionage activities, targeting critical infrastructure and government entities in the United Arab Emirates and the broader Gulf region.

Security researchers from Picus Labs have uncovered a sophisticated new campaign leveraging a previously unknown Windows Kernel vulnerability to elevate privileges and deploy advanced malware.

CVE-2024-30088: A New Weapon in OilRig’s Arsenal

At the heart of OilRig’s latest attacks is the exploitation of CVE-2024-30088, a high-severity privilege escalation vulnerability affecting the Windows Kernel. This flaw allows attackers to elevate their privileges to SYSTEM level, granting them extensive control over compromised machines.

Microsoft patched the vulnerability in June 2024, but OilRig has been observed actively exploiting it in the wild.

The attack chain begins with the compromise of vulnerable web servers, where OilRig uploads a web shell to establish initial access. From this foothold, the group deploys additional tools, including a component designed to exploit CVE-2024-30088.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Once elevated privileges are obtained, OilRig installs a sophisticated backdoor targeting on-premises Microsoft Exchange servers.

This backdoor, known as STEALHOOK, enables attackers to perform a range of malicious activities, including lateral movement across networks and extraction of sensitive files and credentials.

OilRig’s ability to rapidly weaponize newly disclosed vulnerabilities highlights the group’s advanced capabilities and the ongoing threat they pose to targeted organizations.

In addition to exploiting CVE-2024-30088, OilRig continues to employ other advanced tactics. The group has been observed abusing dropped password filter policy DLLs to extract plaintext passwords, leveraging the Ngrok remote monitoring tool for tunneling traffic, and maintaining persistence through various means.

Security experts warn that OilRig’s focus on critical infrastructure, particularly in the energy sector, could have severe implications if successful.

The group’s evolving tactics and use of zero-day vulnerabilities underscore the need for organizations to maintain robust patch management processes and implement multi-layered security defenses.

As OilRig’s campaigns continue to evolve, cybersecurity teams are advised to stay vigilant and prioritize the patching of critical vulnerabilities, especially those known to be exploited in the wild.

Organizations in targeted sectors should also implement additional monitoring for signs of compromise and consider deploying advanced threat detection tools to identify and mitigate sophisticated attacks.

The discovery of OilRig’s exploitation of CVE-2024-30088 is a reminder of the persistent and evolving nature of state-sponsored cyber threats.

As these groups refine their tactics and expand their capabilities, the global cybersecurity community must remain proactive in developing and implementing robust defense strategies to protect critical assets and sensitive information from increasingly sophisticated attacks.

Indicators of Compromise

File Hashes

QUADAGENT

d7130e42663e95d23c547d57e55099c239fa249ce3f6537b7f2a8033f3aa73de

OilRig ThreeDollars

1f6369b42a76d02f32558912b57ede4f5ff0a90b18d3b96a4fe24120fa2c300c

mscom.exe

0ca0febadb1024b0a8961f21edbf3f6df731ca4dd82702de3793e757687aefbc

People List.xls

9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777

Dell.exe

5db93f1e882f4d7d6a9669f8b1ab091c0545e12a317ba94c1535eb86bc17bd5b

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free



Source link