Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

Google exposes Vishing Group UNC6040 target on Salesforce with a fake app for a data loader

June 4, 2025

Malicious Chaos Rats are aimed at Windows and Linux via fake network downloads

June 4, 2025

Why do traditional DLP solutions do not get in the browser era

June 4, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » OilRig is exploiting a flaw in the Windows kernel in an espionage campaign targeting the UAE and the Persian Gulf
Global Security

OilRig is exploiting a flaw in the Windows kernel in an espionage campaign targeting the UAE and the Persian Gulf

AdminBy AdminOctober 13, 2024No Comments3 Mins Read
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


October 13, 2024Ravi Lakshmanan

The Iranian threat actor known as Oil rig A patched privilege escalation flaw affecting the Windows kernel was seen being used in a cyber espionage campaign targeting the UAE and the wider Gulf region.

“The group uses sophisticated tactics that include deploying a backdoor that uses Microsoft Exchange servers to steal credentials and exploiting vulnerabilities such as CVE-2024-30088 for elevation of privilege,” Trend Micro researchers Mohamed Fahmi, Bahaa Yamani, Ahmed Kamal and Nick Dye said in an analysis published on Friday.

A cyber security company tracks down a pseudonymous threat actor The land of Simnavazwhich is also called APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten.

Cyber ​​security

The chain of attacks involves the deployment of a previously undocumented implant that comes with the ability to steal credentials via on-premises Microsoft Exchange servers, a proven tactic adopted by adversaries in the past, while also incorporating newly discovered vulnerabilities into its arsenal of exploits.

CVE-2024-30088, patched up Microsoft in June 2024 addresses a privilege escalation case in the Windows kernel that can be used to gain SYSTEM privileges, assuming attackers can win the race.

Initial access to target networks is facilitated by infiltrating a vulnerable web server to remove the web shell, followed by uninstalling the ngrok remote management tool to maintain persistence and moving to other network endpoints.

The elevation of privilege vulnerability then serves as a delivery channel for a backdoor codenamed STEALHOOK responsible for sending harvested data via an Exchange server to an attacker-controlled email address as an attachment.

A notable technique used by OilRig in the latest set of attacks involves abusing elevated privileges to deny password filter Policy DLL (psgfilter.dll) to retrieve sensitive credentials from domain users through domain controllers or local accounts on local machines.

“The attacker was very careful with exposed passwords when implementing password filter export features,” the researchers said. “The threat actor also used clear text passwords to gain access and remotely deploy the tools. Plaintext passwords were first encrypted before being stolen when sent over the network.”

Cyber ​​security

It should be noted that the use of psgfilter.dll was observed back in December 2022 in connection with a campaign targeting organizations in the Middle East using another backdoor called MrPerfectionManager.

“Their recent activity suggests that Earth Simnavaz is focused on exploiting vulnerabilities in key infrastructure in geopolitically sensitive regions,” the researchers noted. “They also seek to gain a foothold in compromised facilities so they can use the weapon to attack additional targets.”

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

Google exposes Vishing Group UNC6040 target on Salesforce with a fake app for a data loader

June 4, 2025

Malicious Chaos Rats are aimed at Windows and Linux via fake network downloads

June 4, 2025

Why do traditional DLP solutions do not get in the browser era

June 4, 2025

Packages malicious Pypi, NPM and Rubin

June 4, 2025

HPE releases security patch for Storeonce error, which allows by -by -distance authentication

June 4, 2025

Fake Docusign, Gitcode Sites Distributed Netsupport Rat Through Multiple Attack PowerShell

June 3, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

Google exposes Vishing Group UNC6040 target on Salesforce with a fake app for a data loader

June 4, 2025

Malicious Chaos Rats are aimed at Windows and Linux via fake network downloads

June 4, 2025

Why do traditional DLP solutions do not get in the browser era

June 4, 2025

Packages malicious Pypi, NPM and Rubin

June 4, 2025

HPE releases security patch for Storeonce error, which allows by -by -distance authentication

June 4, 2025

Fake Docusign, Gitcode Sites Distributed Netsupport Rat Through Multiple Attack PowerShell

June 3, 2025

Critical 10-year Error Webmail RoundCube allows users to run the malicious code

June 3, 2025

Understanding the scammers and how to defend their organization

June 3, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

Google exposes Vishing Group UNC6040 target on Salesforce with a fake app for a data loader

June 4, 2025

Malicious Chaos Rats are aimed at Windows and Linux via fake network downloads

June 4, 2025

Why do traditional DLP solutions do not get in the browser era

June 4, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.