OilRig Exploits Windows Kernal Flaw in Cyber Espionage – Provintell Next-Gen Cyber Defense

OilRig Exploits Windows Kernel Flaw in Cyber Espionage

VTA-004497 – OilRig Exploits Windows Kernel Flaw in Cyber Espionage

Iranian cyber espionage group OilRig, also tracked as Earth Simnavaz among other names, has recently escalated its cyber attacks in the U.A.E. and Gulf region. Researchers have identified that the group is exploiting a previously patched Windows Kernel vulnerability, CVE-2024-30088, to escalate privileges and steal credentials via Microsoft Exchange servers.

The group’s sophisticated strategy involves initial infiltration through a vulnerable web server to implant a web shell. This is followed by the deployment of the ngrok tool to maintain persistence and facilitate lateral movement across the network. The critical vulnerability, CVE-2024-30088, allows the attackers to gain SYSTEM privileges and install the STEALHOOK backdoor for data exfiltration.

OilRig has also been using a password filter policy DLL known as psgfilter.dll to harvest plaintext passwords from domain users, which are then encrypted before transmission to avoid detection. The use of psgfilter.dll highlights the group’s continued focus on obtaining sensitive credentials to access and manipulate targeted systems effectively. Researchers note that these tactics show the group’s intent to compromise key infrastructures and maintain a presence in strategically important regions.

Severity:
Medium

Attack Surface:
Email, Endpoint OS, Remote Access Service, Server OS, System Management Service, Web Application

Tactics:
Credential Access, Exfiltration, Initial Access, Lateral Movement, Persistence, Privilege Escalation

Techniques:
T1190 – Exploit Public-Facing Application
T1068 – Privilege Escalation
T1003 – Credential Dumping
T1105 – Ingress Tool Transfer
T1059 – Command and Scripting Interpreter
T1552 – Unsecured Credentials

Indicator of Compromise:
https://otx.alienvault.com/pulse/6702650aaf009c3bb7206fc9

References:
1. https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html

SuperPRO’s Threat Countermeasures Procedures:
1) Apply all recent security patches, especially for critical vulnerabilities like CVE-2024-30088.
2) Enhance monitoring of Microsoft Exchange servers and implement additional security measures against credential theft.
3) Secure web servers against initial infiltration by regularly updating and patching vulnerable software.
4) Implement strict access controls and use encryption to secure sensitive credentials both in transit and at rest.
5) Deploy endpoint detection and response (EDR) tools to detect and respond to suspicious activities and lateral movements.
6) Educate employees about the latest phishing tactics and other social engineering methods used for initial access.

Contributed by: Fatini