Iranian cyber threat actor known as OilRig has been detected exploiting a recently patched privilege escalation vulnerability in the Windows Kernel as part of a cyber espionage campaign mainly targeting the United Arab Emirates and the wider Gulf region. Trend Micro analysts Mohamed Fahmy, Bahaa Yamany, Ahmed Kamal, and Nick Dai revealed in a report published on Friday that the group deploys advanced tactics, including utilizing a backdoor that makes use of Microsoft Exchange servers for stealing credentials and leveraging vulnerabilities like CVE-2024-30088 for privilege escalation.
The cybersecurity firm is closely monitoring this threat actor under the alias Earth Simnavaz, also known as APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten. The attack campaigns orchestrated by OilRig involve the deployment of a previously undocumented implant with the ability to exfiltrate credentials through on-premises Microsoft Exchange servers. This implant is also armed with the incorporation of newly disclosed vulnerabilities into its exploitation toolkit.
CVE-2024-30088, which was addressed by Microsoft in June 2024, concerns a privilege escalation issue in the Windows kernel that could be exploited to attain SYSTEM privileges under the condition that the attackers can successfully win a race condition. The initial access to target networks is established by infiltrating a vulnerable web server to drop a web shell, followed by deploying the ngrok remote management tool to ensure persistence and navigate to other endpoints within the network.
The privilege escalation flaw becomes a bridge to deploy the backdoor, codenamed STEALHOOK, which is responsible for transmitti data via the Exchange server to an email address controlled by the attackers in the form of attachments. In the recent wave of attacks, OilRig has been observed employing a technique that involves the misuse of elevated privileges to insert the password filter policy DLL (psgfilter.dll) to extract sensitive credentials from domain users through domain controllers or local accounts on local machines.
The threat actors were meticulous in handling plaintext passwords while implementing the password filter export functions, encrypting these passwords before exfiltrating them over networks. The use of psgfilter.dll was previously detected in December 2022 in connection with a campaign aimed at organizations in the Middle East using another backdoor dubbed MrPerfectionManager. According to the researchers, the recent activity suggests that Earth Simnavaz is concentrating on exploiting vulnerabilities in critical infrastructure within geopolitically sensitive areas and aiming to establish a persistent presence in compromised entities to launch attacks on additional targets.
This sophisticated cyber espionage campaign showcases the evolving tactics adopted by threat actors to infiltrate and compromise organizations of strategic importance. By leveraging vulnerabilities in key infrastructure, these threat actors continue to pose a significant risk to national security and critical systems. It is imperative for organizations to remain vigilant, update their systems regularly, and implement robust security measures to defend against such sophisticated cyber threats.