Iranian threat actors are on the hunt for login credentials that can grant them access to organizations and personal systems of people in the United Arab Emirates and the broader Gulf region, experts have warned.
A report from cybersecurity researchers Trend Micro claims a group called OilRig (AKA APT43, or Cobalt Gipsy) has been going after vulnerable servers that they can use to deploy web shells. These, in turn, allow them to run PowerShell and consequently - deploy malware on the servers.
The malware then abuses a vulnerability tracked as CVE-2024-30088 to escalate privileges and allow the crooks to exfiltrate sensitive information. This vulnerability, patched by Microsoft in June 2024, is described as a Windows Kernel Elevation of Privilege flaw and has a base score of 7.0 (high).
Affiliation with ransomware players
The name of the malware used in these attacks is STEALHOOK. It essentially serves as an infostealer, since its goal is to exfiltrate data to a command & control (C2) server, operated by the attackers. What’s interesting about STEALHOOK is that it blends this information with legitimate one, and sends it out via an Exchange server.
BleepingComputer points out that OilRig is a state-sponsored actor, adding the group “remains highly active” in the Middle East region, and that it seems to be affiliated with FOX Kitten, another Iran-based APT group involved in ransomware attacks.
The majority of the targets work in the energy sector, Trend Micro concluded, warning that any disruption to the operation of these firms could impact the wider population greatly.
Despite there being evidence of abuse, the US Cybersecurity and Infrastructure Agency (CISA) is yet to place CVE-2024-30088 on its Known Exploited Vulnerabilities (KEV) catalog.
More from TechRadar Pro
- Iranian hackers work with ransomware gangs to break into companies via VPN and firewall tools
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now