Iran’s APT34 Intensifies Cyberattacks Exploiting Windows Flaw

October 13, 2024

Iran's state-sponsored hacking group, APT34, also known as OilRig, has been ramping up its cyberattacks against government and critical infrastructure entities in the United Arab Emirates and the Gulf region. According to Trend Micro researchers, the group has been deploying a new backdoor to target Microsoft Exchange servers for credential theft and exploiting a Windows flaw, CVE-2024-30088, to increase their privileges on compromised devices.

The researchers also found a link between OilRig and another Iran-based Advanced Persistent Threat (APT) group, FOX Kitten, known for its involvement in ransomware attacks. The attackers initiate their operations by exploiting a vulnerable web server to upload a web shell, which allows them to execute remote code and PowerShell commands. Once the web shell is active, OilRig uses it to deploy additional tools, including a component specifically designed to exploit the Windows flaw, CVE-2024-30088.

This high-severity privilege escalation vulnerability, which Microsoft patched in June 2024, enables attackers to escalate their privileges to the SYSTEM level, thereby gaining substantial control over the compromised devices. Although Microsoft has recognized a proof-of-concept exploit for CVE-2024-30088, it has not yet identified the flaw as actively exploited on its security portal. Similarly, the Cybersecurity and Infrastructure Security Agency (CISA) has not reported it as previously exploited in its Known Exploited Vulnerability catalog.

Following this, OilRig registers a password filter DLL to intercept plaintext credentials during password change events and then downloads and installs the remote monitoring and management tool 'ngrok,' used for stealthy communications through secure tunnels. The threat actors have also begun exploiting on-premise Microsoft Exchange servers to steal credentials and exfiltrate sensitive data via legitimate email traffic, making it difficult to detect.

The data exfiltration is facilitated by a new backdoor named 'StealHook.' Trend Micro notes that government infrastructure is often used as a pivot point to make the process appear legitimate. "The key objective of this stage is to capture the stolen passwords and transmit them to the attackers as email attachments," Trend Micro stated in the report. "Additionally, we observed that the threat actors leverage legitimate accounts with stolen passwords to route these emails through government Exchange Servers."

The researchers found code similarities between StealHook and backdoors used by OilRig in previous campaigns, indicating that the latest malware is an evolutionary step, not a fresh creation. The group's affiliation with FOX Kitten, while currently unclear, raises concerns about the potential addition of ransomware to its attack arsenal. Given that most of the targeted entities belong to the energy sector, any operational disruptions could have severe implications.

Latest News

• Russian APT29 Group Targets Zimbra and JetBrains TeamCity Servers
• CISA Issues Warning on Threat Actors Exploiting F5 BIG-IP Cookies for Network Reconnaissance
• Ransomware Gangs Exploit Critical Veeam RCE Flaw: Akira and Fog Ransomware in Focus
• Casio Hit by Underground Ransomware Gang: Stolen Data Leaked
• CISA Reports Active Exploitation of Critical Fortinet RCE Flaw