OilRig Leverages Windows Kernel Vulnerability in Espionage Operation Targeting UAE and Gulf Countries

Oct 13, 2024Ravie Lakshmanan

The Iranian hacking group referred to as OilRig has been identified exploiting a recently fixed privilege escalation vulnerability in the Windows Kernel in a digital espionage scheme aimed at the UAE and surrounding G

Oct 13, 2024Ravie Lakshmanan

OilRig Exploits Windows Kernel Flaw in Espionage Campaign Targeting UAE and Gulf

“The team employs advanced techniques like deploying a hidden access route that utilizes Microsoft Exchange servers to steal login credentials, and abusing security vulnerabilities such as CVE-2024-30088 for escalating user privileges,” mentioned Trend Micro experts Mohamed Fahmy, Bahaa Yamany, Ahmed Kamal, and Nick Dai in an analysis released on Friday.

The cybersecurity firm is monitoring the hacking group under the alias of Earth Simnavaz, also known as APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten.

The attack sequences involve using a previously undisclosed malicious software that has functions to extract logins through Microsoft Exchange servers, a strategy that has been utilized by the attackers before, while integrating newly revealed vulnerabilities into their attack toolkit.

CVE-2024-30088, addressed by Microsoft in June 2024, focuses on a loophole in the Windows kernel that when exploited can provide SYSTEM-level privileges, assuming the hackers can navigate a timing issue.

The initial breach into target networks is achieved by infiltrating a weak web server to introduce a web shell, followed by introducing the remote management tool ngrok for ongoing access and expanding to other devices in the network.

The privilege escalation flaw is then used to introduce the backdoor, codenamed STEALHOOK, which is responsible for sending stolen information through the Exchange server to an email address managed by the attacker as file attachments.

An interesting tactic employed by OilRig in the recent attacks involves misusing the heightened permissions to introduce the password filter policy DLL (psgfilter.dll) to retrieve crucial logins from domain users through domain controllers or local account credentials.

“The threat actor showed precision in handling the passwords while utilizing the password filter export capabilities,” the experts commented. “The hacker also leveraged plaintext passwords for remote access and tool deployment. These plain text passwords were encrypted first before being transmitted over networks.”

It should be noted that the utilization of psgfilter.dll was previously detected in conjunction with a campaign aimed at organizations in the Middle East back in December 2022, using another backdoor named MrPerfectionManager.

“The recent actions of Earth Simnavaz indicate a focus on exploiting vulnerabilities in critical infrastructure of geopolitically important regions,” highlighted the researchers. “Their goal is to establish a lasting foothold in compromised entities to potentially launch assaults on further targets.”

Found this article intriguing? Follow us on Twitter and LinkedIn to explore more exclusive content we share.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts