Experts have raised alarms regarding Iranian threat actors actively seeking login credentials to infiltrate organizations and personal systems within the United Arab Emirates and the broader Gulf region. A recent report from cybersecurity researchers at Trend Micro highlights the activities of a group known as OilRig, also referred to as APT43 or Cobalt Gipsy. This group has been targeting vulnerable servers to deploy web shells, which enable them to execute PowerShell commands and subsequently introduce malware onto the compromised systems.
One of the vulnerabilities exploited by these attackers is identified as CVE-2024-30088. This flaw, which was patched by Microsoft in June 2024, is categorized as a Windows Kernel Elevation of Privilege vulnerability with a high base score of 7.0. By leveraging this weakness, the attackers can escalate their privileges and extract sensitive information from the affected systems.
Affiliation with ransomware players
The malware employed in these operations is known as STEALHOOK, functioning primarily as an infostealer. Its main objective is to exfiltrate data to a command and control (C2) server managed by the attackers. Notably, STEALHOOK has the capability to blend stolen information with legitimate data, transmitting it through an Exchange server.
BleepingComputer has pointed out that OilRig is a state-sponsored entity that remains highly active in the Middle East. Furthermore, there appears to be a connection between OilRig and FOX Kitten, another Iranian-based advanced persistent threat (APT) group involved in ransomware activities. The majority of OilRig’s targets are concentrated in the energy sector, leading Trend Micro to caution that any disruption to these firms could have significant repercussions for the wider population.
Despite the evidence of exploitation associated with CVE-2024-30088, the US Cybersecurity and Infrastructure Agency (CISA) has yet to include this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, raising concerns about the potential risks that remain unaddressed.
