OilRig Exploits a Vulnerability in Windows
The cyber attackers behind this campaign are exploiting a flaw in the Windows operating system known as CVE-2024-30088. This flaw, which has since been patched by Microsoft, allowed the attackers to elevate their privileges, gaining higher levels of control within the system. By winning a “race condition,” they could trick the computer into giving them full access, effectively turning them into system administrators.
The flaw gave the hackers the ability to use a type of malware, a backdoor known as STEALHOOK, to steal sensitive data. This malware was designed to sneak into systems by taking advantage of weaknesses in Microsoft Exchange servers. Once inside, it could grab credentials and send them to a remote email controlled by the attackers. The data was transmitted as attachments, making it even harder to detect.
How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?
OilRig Attacks Through Web Servers
OilRig began its attacks by targeting vulnerable web servers, sneaking in by dropping a “web shell.” A web shell is like a hidden backdoor that hackers can use to control the server remotely. Once inside, they use a tool called “ngrok” to maintain access, allowing them to stay hidden and move across the network without detection.
The attackers then used the CVE-2024-30088 vulnerability to give themselves full control of the compromised systems. By doing so, they were able to install their malware backdoor, STEALHOOK, which helped them transmit the stolen credentials back to their servers for further exploitation. This backdoor provided them with a secure route to steal information without being easily caught.
Cyberattack Catastrophe: How Hackers Can Endanger Human Lives ?
OilRig’s tactics have been described as both sophisticated and persistent. They seem to focus on geopolitical targets, aiming to gather critical intelligence by attacking key infrastructure. This includes not only business organizations but also government and defense systems in the Gulf region.
Stealing Passwords With Advanced Techniques
One of the most concerning aspects of OilRig’s latest attack was their use of a specialized tool called “psgfilter.dll.” This tool allowed the attackers to steal passwords directly from domain controllers or local machines, including sensitive credentials from users and administrators. The password filter policy DLL was secretly placed into the system, enabling them to gather cleartext passwords.
What made this attack even more dangerous was how carefully the hackers handled the stolen passwords. Once they obtained the plaintext passwords, they encrypted them to avoid detection and then exfiltrated (stole) them over the network. The group used these passwords to gain access to other parts of the system, deploying tools remotely to maintain their grip on the compromised networks.
The Dark Side of AI: How Cybercriminals Use AI for Attacks
Cybersecurity experts had seen this method of stealing passwords before in a previous campaign back in December 2022. In that earlier attack, OilRig used a similar backdoor known as MrPerfectionManager to target organizations in the Middle East. This shows that the group has been refining its methods and adapting its tactics over time.
Targeting Critical Infrastructure
The recent attacks by OilRig highlight their focus on exploiting vulnerabilities in crucial systems, particularly in geopolitically sensitive regions like the Gulf. They aim to gain long-term access to compromised networks, using them as stepping stones for future attacks. This pattern of behavior has made them one of the most persistent and dangerous cyber threats in the region.
In this latest campaign, they have not only infiltrated networks but also stayed hidden for long periods, collecting information for espionage purposes. Their use of sophisticated tools like STEALHOOK and psgfilter.dll shows that they are continuously upgrading their methods to stay ahead of security defenses.
Cybersecurity experts are closely monitoring OilRig’s activities and working to counter the group’s persistent attacks. Despite patching vulnerabilities like CVE-2024-30088, the threat remains serious, as the group quickly adapts to new circumstances. Their ability to exploit recently discovered vulnerabilities, as well as their persistence in targeting high-value organizations, makes them a constant threat.
The campaign against organizations in the Gulf region highlights the importance of maintaining updated security measures. It stresses the need to swiftly address software vulnerabilities. These attacks remind us of the critical need for vigilance as cyber threats evolve with new techniques and tools.