High-severity Windows flaw exploited in hacker gang attacks
Take action: If you haven't patched your Windows since June, time to patch it NOW. There are many exploited vulnerabilities, including CVE-2024-30088. And educate your users not to execute PowerShell commands (click Ctrl-C, then Ctrl-V on powershell.exe) to "verufy that they are not a robot"
Learn More
In a series of cyberattacks targeting critical infrastructure and government organizations across the United Arab Emirates and other Gulf region countries, the Iranian state-sponsored advanced persistent threat (APT) group OilRig (also known as APT34) exploited a severe Windows privilege escalation vulnerability tracked as CVE-2024-30088.
According to a report from Trend Micro, the attackers leveraged this flaw to compromise systems, allowing them to conduct a wide range of malicious activities, including credential theft and covert communications.
OilRig initiated the attacks by injecting PowerShell commands into vulnerable web servers or Windows computers. Note that there are many phishing and website scams persuading users to execute PowerShell commands to "verufy that they are not a robot".
Once they established a foothold, they exploited CVE-2024-30088, a high-severity vulnerability in Windows that enables privilege escalation. After the breach, they executed:
- Password filter DLL registration: Capturing plaintext credentials through password filters.
- Ngrok utility installation: Used to create covert communication channels.
- Targeting Microsoft Exchange servers: Using the newly discovered StealHook backdoor.
The StealHook backdoor is installed which researchers linked to OilRig. It's primary function is to capture stolen passwords and transmit them to the attackers via email attachments. These emails are routed through government Exchange servers by using legitimate accounts with stolen passwords, further complicating detection.
Organizations are urged to patch this vulnerability and educate their users for PowerShell attacks.
