Iranian hackers are actively hunting for accounting data that can provide them with access to organizations and personal systems in the UAE and other countries of the Persian Gulf, according to a report by Trend Micro. The hacker group Oilrig, also known as APT43 or Cobalt Gypsy, is targeting vulnerable servers to deploy web shells, allowing them to execute PowerShell and introduce malicious software on servers.
The malicious software exploits the vulnerability CVE-2024-30088 to escalate privileges and steal confidential information. This vulnerability, with a high severity rating of 7.0, was patched by Microsoft in June 2024, addressing an elevation of privilege flaw in the Windows kernel.
The malware Stealhook is used in the attacks to exfiltrate data and transmit it to the attackers’ command server. Stealhook has the capability to mix stolen data with legitimate data and transmit it through the Exchange server.
According to BleepingComputer, Oilrig is a state-sponsored group that remains “very active” in the Middle East region. The group is believed to be associated with another Iranian APT group, Fox Kitten, known for conducting attacks using ransomware programs.
The majority of victims targeted by these cyber attacks are in the energy sector, raising concerns that any disruptions in their operations could have significant impacts on large segments of the population.
Despite evidence of the exploitation of CVE-2024-30088, the US Cybersecurity and Infrastructure Security Agency (CISA) has not yet added this vulnerability to its list of known vulnerabilities.