Source: www.csoonline.com – Author:
News
14 Oct 20243 mins
CyberattacksSecurityVulnerabilities
The group deployed sophisticated backdoors to exfiltrate sensitive data from compromised Exchange servers.
An Iran-linked cyber-espionage group has been, in recent months, conducting cyberattacks in the United Arab Emirates (UAE) and the Gulf region by exploiting a privilege escalation flaw in Windows systems.
The hacker group APT34 also tracked as OilRig and Earth Simnavaz, is primarily known for targeting organizations in the energy sector, including oil and gas companies, according to a Trend Micro research.
“Our latest research has identified Earth Simnavaz’s deployment of a sophisticated new backdoor,” said Trend Micro in a blog post. “This new backdoor facilitates the exfiltration of sensitive credentials, including accounts and passwords, through on-premises Microsoft Exchange servers.”
In addition, the blog noted, OilRig has been using a remote monitoring and management (RMM) tool known as ngrok in their operations.
Sensitive data exfiltration through Windows hacks
The recent cyberattacks have been linked to the exploitation of a vulnerable web server (public-facing applications) through a web shell that enabled attackers to execute PowerShell code and transfer files. The initial access allowed the threat actors to establish a foothold within the network, from where they downloaded the remote management tool ngrok to facilitate lateral movement.
Their primary target was the Domain Controller, a server managing permissions within a Windows domain, which they reached by exploiting CVE-2024-30088, a Windows Kernel Elevation of Privilege vulnerability, according to Trend Micro. The attackers used an exploit binary, loaded via the open-source RunPE-In-Memory tool, to escalate privileges and strengthen their control over the system.
Once they gained elevated access, the attackers registered a password filter DLL that deployed a backdoor, allowing them to exfiltrate sensitive data through the compromised Exchange server. The stolen data was then relayed to a threat actor-controlled email address, effectively securing long-term control over the infected environment and completing the attack sequence.
Mitigation includes proactive security
Fixing the Windows vulnerability that allows privilege escalation within a compromised Windows network could be the first step toward protection from these attacks. CVE-2024-30088 is a high-severity (CVSS 7 out of 10) Time-of-check Time-of-use (TOCTOU) Race Condition flaw in Windows servers which Microsoft fixed in the June 2024 patch Tuesday.
While neither Microsoft nor CISA has marked the vulnerability as actively exploited, the former had acknowledged the flaw’s exploitation is “more likely” since a proof-of-concept exploit has been available.
An intelligence-led approach to incident response will be crucial for efficiently managing and reducing the impact of these kinds of attacks, according to Trend Micro. “While the group’s techniques haven’t evolved drastically, implementing a Zero Trust architecture, alongside mature SOC, EDR, and MDR capabilities, can greatly enhance defensive measures against threats like that posed by Earth Simnavaz.”
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
Original Post url: https://www.csoonline.com/article/3562599/iranian-hackers-use-windows-holes-to-attack-critical-gulf-and-emirates-systems.html
Category & Tags: Cyberattacks, Security, Vulnerabilities, Windows Security – Cyberattacks, Security, Vulnerabilities, Windows Security
Views: 2
