October 13, 2024 at 06:54AM
OilRig, an Iranian cyber threat actor, has exploited a patched Windows Kernel vulnerability (CVE-2024-30088) in a cyber espionage campaign targeting the U.A.E. and Gulf region. Using sophisticated tactics, including a backdoor named STEALHOOK, they siphon credentials via Microsoft Exchange servers, aiming to maintain persistent access to compromised networks.
### Meeting Takeaways (October 13, 2024)
1. **Threat Actor Overview**:
– The Iranian cyber threat group, OilRig, also known as Earth Simnavaz (or APT34), is involved in a cyber espionage campaign targeting the U.A.E. and the broader Gulf region.
2. **Exploitation of Vulnerabilities**:
– OilRig is exploiting a privilege escalation vulnerability (CVE-2024-30088) in the Windows Kernel, which was patched by Microsoft in June 2024.
– The group employs sophisticated tactics that include credential theft using Microsoft Exchange servers.
3. **Tactics and Techniques**:
– Deployment of a backdoor named STEALHOOK that exfiltrates credentials via email from compromised Exchange servers.
– Initial access is gained through vulnerable web servers, followed by dropping a web shell and using ngrok for persistence.
– Elevated privileges are utilized to deploy a password filter policy DLL (psgfilter.dll) to extract sensitive credentials.
4. **Data Handling**:
– The threat actor uses plaintext passwords carefully, encrypting them before exfiltration to avoid detection.
– Previous use of psgfilter.dll was documented in a December 2022 campaign targeting Middle Eastern organizations.
5. **Objective**:
– Earth Simnavaz aims to exploit vulnerabilities in key infrastructure within geopolitically sensitive regions to establish persistent access and launch further attacks on additional targets.
6. **Recommendation for Monitoring**:
– Continual monitoring of vulnerabilities and suspicious activities related to Microsoft Exchange servers and Windows Kernel to mitigate risks from similar threat actors in the future.
These takeaways summarize the meeting’s key points regarding the current activities and tactics of the OilRig threat actor.