Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Privilege Escalation. Show all posts
Vulnerabilities and Exploits
Iran hackers Microsoft Server OilRig Privilege Escalation Vulnerabilities and Exploits

Iranian Attackers Exploit Windows Bug to Elevate Privileges

 

The Iranian state-sponsored hacking outfit APT34, dubbed OilRig, has recently escalated its activity by launching new campaigns against government and vital infrastructure entities in the United Arab Emirates and the Gulf area. 

OilRig employed a new backdoor to target Microsoft Exchange servers and steal passwords, as well as exploiting the Windows CVE-2024-30088 vulnerabilities to escalate their privileges on affected devices, according to Trend Micro researchers. In addition to the activity, FOX Kitten, another Iran-based APT outfit involved in ransomware attacks, and OilRig have been linked by Trend Micro. 

The attacks observed by Trend Micro start with the exploitation of an unprotected web server to upload a web shell, enabling the hackers to execute remote code and PowerShell commands. Once the web shell is activated, OilRig uses it to launch additional tools, including a component that exploits the Windows CVE-2024-30088 bug. 

CVE-2024-30088 is a high-severity privilege escalation vulnerability that Microsoft patched in June 2024, allowing attackers to elevate their privileges to the SYSTEM level and gain significant control over the compromised devices. 

Microsoft has identified a proof-of-concept exploit for CVE-2024-30088, although it hasn't yet disclosed on its security portal that the vulnerability is being actively exploited. Furthermore, CISA has not listed it as having been previously exploited in its catalogue of known exploited vulnerabilities.

Following a password change event, OilRig downloads and installs 'ngrok,' a remote monitoring and management application that enables covert communications via secure tunnels. This allows the tool to intercept plaintext credentials. 

The use of on-premise Microsoft Exchange servers by threat actors as a means of credential theft and sensitive data exfiltration through fake, difficult-to-identify email traffic is another novel strategy. 

The exfiltration is accomplished using a new backdoor known as 'StealHook,' and Trend Micro claims that government infrastructure is frequently employed as a pivot point to make the operation appear authentic. 

"The key objective of this stage is to capture the stolen passwords and transmit them to the attackers as email attachments," notes Trend Micro in the report. "Additionally, we observed that the threat actors leverage legitimate accounts with stolen passwords to route these emails through government Exchange Servers.”
Read more »
Windows 11
Cyber Security DLL Search Order Hijacking Exploitation Malicious Code Privilege Escalation Security Bypass Security Joes Threat actors Windows 10 Windows 11

New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections

 

Security researchers have outlined a fresh variant of a dynamic link library (DLL) search order hijacking technique, potentially enabling threat actors to circumvent security measures and execute malicious code on computers running Microsoft Windows 10 and Windows 11.

The new method, disclosed in a report by cybersecurity firm Security Joes and exclusively shared with The Hacker News, exploits executables commonly present in the trusted WinSxS folder, utilizing the classic DLL search order hijacking technique. By doing so, adversaries can avoid the need for elevated privileges when attempting to run malicious code on a compromised system, introducing potentially vulnerable binaries into the attack chain.

DLL search order hijacking involves manipulating the search order used to load DLLs, allowing the execution of malicious payloads for purposes such as defense evasion, persistence, and privilege escalation. This technique targets applications that do not specify the full path to required libraries, relying on a predefined search order to locate DLLs on disk.

Threat actors exploit this behavior by relocating legitimate system binaries into non-standard directories that contain malicious DLLs, named after legitimate ones. This tricks the system into loading the attack code-containing library instead of the authentic one.

The unique aspect introduced by Security Joes focuses on files within the trusted "C:\Windows\WinSxS" folder. WinSxS, short for Windows side-by-side, is a crucial Windows component used for OS customization and updates to ensure compatibility and integrity.

According to Ido Naor, co-founder and CEO of Security Joes, the discovery diverges from traditional cyber attack methods, providing a more subtle and stealthy exploitation technique. The strategy involves identifying vulnerable binaries in the WinSxS folder and combining them with DLL search order hijacking methods. This entails strategically placing a custom DLL with the same name as a legitimate DLL into an actor-controlled directory, triggering code execution when executing a vulnerable file in the WinSxS folder.

Security Joes emphasized the potential for additional binaries in the WinSxS folder susceptible to this DLL search order hijacking, urging organizations to take precautions. They recommended examining parent-child relationships between processes, particularly focusing on trusted binaries, and closely monitoring activities performed by binaries in the WinSxS folder, including network communications and file operations.
Read more »
Subscribe to: Posts (Atom)