The Iranian state-sponsored hacking group known as APT34, also called OilRig or Earth Simnavaz, has recently intensified its cyber espionage activities, targeting government and critical infrastructure entities in the United Arab Emirates and the broader Gulf region.
This escalation involves sophisticated tactics and the exploitation of newly discovered vulnerabilities, demonstrating the group’s evolving capabilities and persistent threat to regional security.
Attack Methodology
OilRig’s latest attack chain begins with the exploitation of vulnerable web servers to upload web shells, granting them remote code execution capabilities. From this initial foothold, the attackers deploy additional tools and malware to further compromise the target systems.
Privilege Escalation
A key component of OilRig’s recent attacks is the exploitation of CVE-2024-30088, a high-severity Windows kernel vulnerability patched by Microsoft in June 2024. This flaw allows the attackers to elevate their privileges to SYSTEM level, providing significant control over compromised devices.
Credential Theft
The hackers have implemented a novel tactic involving the abuse of on-premises Microsoft Exchange servers. They deploy a new backdoor called “StealHook” to intercept and exfiltrate credentials, often routing the stolen data through legitimate government email infrastructure to avoid detection. StealHook represents an evolution of OilRig’s malware arsenal, showing code similarities to previously used backdoors like Karkoff. This new tool is specifically designed to capture stolen passwords and transmit them to the attackers as email attachments.
The group has also been observed deploying a malicious password filter DLL (psgfilter.dll) to extract plaintext credentials from domain users and local accounts. This technique allows them to capture sensitive login information during password change events.
Targets and Objectives
OilRig’s primary targets in this campaign appear to be government entities and organizations in the energy sector across the UAE and Gulf region. The focus on critical infrastructure raises concerns about potential operational disruptions that could have widespread impacts.
Connection to FOX Kitten
Trend Micro researchers have identified a potential link between OilRig and another Iran-based APT group known as FOX Kitten. This connection is particularly worrying due to FOX Kitten’s involvement in ransomware attacks, suggesting a possible expansion of OilRig’s capabilities to include more destructive operations.
Conclusion
The recent activities of OilRig highlight the persistent and evolving threat posed by state-sponsored hacking groups. Their focus on exploiting newly discovered vulnerabilities and developing sophisticated malware underscores the need for organizations, especially those in critical sectors, to maintain robust cybersecurity measures and stay current with security updates.
Strengthen Your Server Security with Messageware
Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.
Messageware offers powerful security solutions, including:
Z-Day Guard for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. Leverages embedded monitoring technology that cannot be turned off by malicious software. No need to research complicated deployments and no learning curve to install and manage.
EPG Guard for Exchange Servers: Real-time security stops AD account lockouts, eliminates brute force password attacks, provides intelligent GEO blocking, and prevents Exchange Server vulnerability probing. Enhance security through real-time collection and analysis of logon information, with advanced reporting, threat detection, and security controls.
Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.