Man
Professional
- Messages
- 3,038
- Reaction score
- 561
- Points
- 113
CVE-2024-30088 allows attackers to steal data via STEALHOOK.
The Iranian hacking group OilRig (also known as APT43 or Cobalt Gipsy) has stepped up attacks on organizations and personal systems in the United Arab Emirates and the Gulf countries. Cybersecurity experts from Trend Micro reported that attackers are hunting for credentials to access servers, which they then use to install malicious code.
The attacks target vulnerable servers, where hackers deploy web shells that allow them to execute PowerShell scripts and install malware. One of the key elements of the attack is the exploitation of the CVE-2024-30088 vulnerability, which was patched by Microsoft in June 2024. The vulnerability is classified as critical with a base rating of 7.0 and refers to privilege escalation vulnerabilities in the Windows kernel.
The malware known as STEALHOOK plays an important role in these attacks. This malicious code collects and transmits data to a command-and-control (C2) server controlled by the hackers. A feature of STEALHOOK is the ability to disguise stolen information as legitimate data and send it through Microsoft Exchange servers, which makes it difficult to detect.
Experts emphasize that OilRig is a state-owned hacker group backed by Iran. It remains one of the most active groups in the Middle East region and is likely linked to another Iranian group, FOX Kitten, which has previously been seen in ransomware attacks. Most of the attacks are aimed at the energy sector, which is a serious concern, as any disruption to these businesses can cause significant damage not only to organizations, but also to the general public.
Despite evidence of exploitation of CVE-2024-30088, the US Cybersecurity and Infrastructure Security Administration (CISA) has not yet included it in the catalog of known exploitable vulnerabilities.
Source
The Iranian hacking group OilRig (also known as APT43 or Cobalt Gipsy) has stepped up attacks on organizations and personal systems in the United Arab Emirates and the Gulf countries. Cybersecurity experts from Trend Micro reported that attackers are hunting for credentials to access servers, which they then use to install malicious code.
The attacks target vulnerable servers, where hackers deploy web shells that allow them to execute PowerShell scripts and install malware. One of the key elements of the attack is the exploitation of the CVE-2024-30088 vulnerability, which was patched by Microsoft in June 2024. The vulnerability is classified as critical with a base rating of 7.0 and refers to privilege escalation vulnerabilities in the Windows kernel.
The malware known as STEALHOOK plays an important role in these attacks. This malicious code collects and transmits data to a command-and-control (C2) server controlled by the hackers. A feature of STEALHOOK is the ability to disguise stolen information as legitimate data and send it through Microsoft Exchange servers, which makes it difficult to detect.
Experts emphasize that OilRig is a state-owned hacker group backed by Iran. It remains one of the most active groups in the Middle East region and is likely linked to another Iranian group, FOX Kitten, which has previously been seen in ransomware attacks. Most of the attacks are aimed at the energy sector, which is a serious concern, as any disruption to these businesses can cause significant damage not only to organizations, but also to the general public.
Despite evidence of exploitation of CVE-2024-30088, the US Cybersecurity and Infrastructure Security Administration (CISA) has not yet included it in the catalog of known exploitable vulnerabilities.
Source
