Iranian threat actors

Iranian threat actors, specifically a group known as OilRig (also referred to as APT43 or Cobalt Gipsy), are actively seeking login credentials to infiltrate organizations and personal systems in the UAE and the Gulf region. They target vulnerable servers to deploy web shells, allowing them to execute PowerShell commands and introduce malware. One vulnerability exploited is CVE-2024-30088, a Windows Kernel Elevation of Privilege flaw with a high base score of 7.0, which was patched by Microsoft in June 2024. This vulnerability enables attackers to escalate privileges and extract sensitive information. The malware used in these operations is STEALHOOK, an infostealer that exfiltrates data to a command and control server and can blend stolen information with legitimate data. OilRig is state-sponsored and primarily targets the energy sector, with connections to another Iranian APT group, FOX Kitten, involved in ransomware. Despite evidence of exploitation related to CVE-2024-30088, the US Cybersecurity and Infrastructure Agency (CISA) has not included it in its Known Exploited Vulnerabilities catalog.