Cybersecurity experts say that there is a new threat against Middle East organisations, and more specifically within the United Arab Emirates, and other Gulf countries. There is an Iranian gang cybercrime known as OilRig that aims to hunt login credentials for access into several organisations and personal systems, with a focus on infiltration of key infrastructures within the region.
Role of OilRig in Attacks
OilRig is another notorious state-sponsored hacking group. At other times, it was known by the designations APT43 and Cobalt Gipsy. Its origins date back to Iranian government sponsorship. And in previous campaigns, OilRig has mainly focused on exploiting exposed servers with web shells - a category of malicious software. This gives attackers the ability to take control of an affected server remotely and run PowerShell scripts from it. As such, such a gain in access allows it to facilitate attackers in finding deeper access into the system.
Once the group fully takes over the system, they exploit the flaw CVE-2024-30088. Microsoft discovered that it had patched this security vulnerability in June 2024 for the Windows operating system. This allows the attackers to elevate their privilege, which gives attackers access to the forbidden areas of the system, thus limiting their operations. According to Microsoft, this is a high-risk vulnerability with a base score of 7.0.
How the Malware Works
This attack utilises a malware referred to as STEEL HOOK, that is a very sophisticated piece of malware. STEALHOOK gathers sensitive information from the infected systems. It tumbles the gathered data with other legitimate data that would aid in its undetected operation. Then, it sends it back to the attackers using an Exchange server. This exfiltrated the data, keeping it hidden from cybersecurity defences. Since it moves as traffic, the attackers subtly can extract sensitive information without immediately causing an alarm.
Ties to Ransomware and Other APT Groups
OilRig's operations closely relate to another Iranian threat group known as FOX Kitten, which is particularly infamous for ransomware campaigns. These connections suggest a broader strategy by Iranian hacking groups in targeting and disrupting key industries, with a specific focus on the energy sector. According to Trend Micro, most of OilRig's targets fall in the energy sector; disruption in such industries could have ripple effects at regional and global levels. This sector is also important, and any extended interference could seriously affect daily life because energy supply lines take such a large part of this region's infrastructure.
Vulnerability Not Yet Flagged By CISA
Shockingly though there is a belief that this flaw is already being exploited, the United States Cybersecurity and Infrastructure Security Agency (CISA) has yet to include CVE-2024-30088 in the Known Exploited Vulnerabilities catalogue. Therefore, for organisations to decide and focus on patching the exploited vulnerabilities used by hackers, this catalogue becomes highly important. Its absence on the list means that there still exists an increased need for a general awareness of the threat and hence affected organisations need to patch up their systems actively.
Among the many malware campaigns that have lately been in view targeting the Middle East, OilRig seemed to reflect the rising complexity and frequency of cyber attacks. In fact, energy sector organisations need to be highly aware of such sophisticated attacks. Ultimately, the case of exploitation involving CVE-2024-30088 would reflect critical and constant risks given by state-sponsored cyber criminals. Meanwhile, it emphasises the advisability of timely software updates and the need for strong cybersecurity measures against unauthorised access and data theft.
In that respect, there is a call for protection of the information systems companies have from these advanced threats from corporate and individual entities. In this respect, OilRig can be prevented through great proactive steps and awareness in preventing these powerful cyberattacks from taking their worse course of follow-up actions.
