Iranian threat actors are on the hunt for login credentials that can grant them access to organizations and personal systems of people in the United Arab Emirates and the broader Gulf region, according to a new report from cybersecurity researchers Trend Micro, published late last week.
Per the paper, a group called OilRig (AKA APT43, or Cobalt Gipsy) has been going after vulnerable servers that they can use to deploy web shells. These, in turn, allow them to run PowerShell and consequently – deploy malware on the servers.
The malware then abuses a vulnerability tracked as CVE-2024-30088 to escalate privileges and allow the crooks to exfiltrate sensitive information. This vulnerability is described as a Windows Kernel Elevation of Privilege flaw and has a base score of 7.0 (high). Microsoft patched it in June this year.
Affiliation with ransomware players
The name of the malware used in these attacks is STEALHOOK. It essentially serves as an infostealer, since its goal is to exfiltrate data to a command & control (C2) server, operated by the attackers. What’s interesting about STEALHOOK is that it blends this information with legitimate one, and sends it out via an Exchange server.
BleepingComputer points out that OilRig is a state-sponsored actor. The same publication also stresses that the group “remains highly active” in the Middle East region, and that it seems to be affiliated with FOX Kitten, another Iran-based APT group involved in ransomware attacks.
The majority of the targets work in the energy sector, Trend Micro concluded, warning that any disruption to the operation of these firms could impact the wider population greatly.
Despite there being evidence of abuse, the US Cybersecurity and Infrastructure Agency (CISA) is yet to place CVE-2024-30088 on its Known Exploited Vulnerabilities (KEV) catalog.
More from TechRadar Pro
https://cdn.mos.cms.futurecdn.net/exjZtnyH8bykMKrG4TDthC-1200-80.jpg
Source link
