The Iranian threat actor OilRig has been identified exploiting a privilege escalation flaw in the Windows Kernel in a cyber espionage operation aimed at the UAE and Gulf region, using tactics like deploying backdoors through Microsoft Exchange servers, exploiting CVE-2024-30088, establishing persistence with the ngrok tool, and employing the backdoor named STEALHOOK to exfiltrate harvested data. The attack involves dropping a web shell via a vulnerable web server, leveraging plaintext passwords to gain access and deploy tools remotely, abusing elevated privileges to extract credentials, and utilizing the psgfilter.dll to collect sensitive credentials
The group's goal is to target organizations in geopolitically sensitive regions, establish persistent footholds in compromised entities, and potentially weaponize them for further attacks, showcasing a focus on exploiting vulnerabilities in critical infrastructure. https://thehackernews.com/2024/10/oilrig-exploits-windows-kernel-flaw-in.html