Windows Kernel vulnerability used in espionage campaign
Threat update
Researchers have observed the well-known cyber espionage group OilRig exploiting a now-patched privilege escalation vulnerability (CVE-2024-30088) in the Windows Kernel to conduct espionage operations. Read this Cybersecurity Threat Advisory to learn more about the espionage campaign and how to avoid becoming a victim of the campaign.
Technical Detail and Additional Info
What is the threat?
The espionage campaign starts with attackers exfiltrating credentials from Microsoft Exchange servers. Once the attacker gains access, the privilege escalation vulnerability is exploited to promote administrative privileges. This enables the attacker to install and execute STEALHOOK and other malicious payloads with elevated access rights. They can then maintain control over the compromised machine(s), establish persistence, and exfiltrate data without interruption. It was observed that OilRig leverages elevated privilege to drop psgfilter.dll, which is a password filter policy DLL. This file allows them to further extract sensitive credentials and deploy more tools remotely.
Why is it noteworthy?
The backdoor, dubbed STEALHOOK, is used to maintain persistent access and exfiltrate sensitive data. It is designed to evade detection to perform various malicious activities, including exfiltrating files, credentials, and other sensitive information from compromised systems. Attackers can remotely control the compromised system and execute commands and provides lateral movement to other systems within the network.
What is the exposure or risk?
OilRig's primary objective is espionage, with high motivation to steal sensitive data. This includes confidential business information, intellectual property, government secrets, and personal data. Gaining full control of a system allows them to install additional malware, disrupt operations, and launch further attacks. Lateral movement capabilities can lead to widespread network compromise, impacting critical infrastructure and services.
What are the recommendations?
LBT Technology Group recommends the following actions to protect your infrastructure against this threat actor:
- Apply the security update for CVE-2024-30088, patched by Microsoft in June 2024, to mitigate the vulnerability.
- Implement services, such as MRSP Endpoint Security, for real-time threat detection and response capabilities.
- Segment your network to limit the impact of a potential breach.
- Leverage network security services, such as MRSP XDR Network Security, to monitor and detect suspicious traffic within your network infrastructure.
- Enforce multi-factor authentication for all user accounts to prevent unauthorized access.
References
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact LBT's Sales Engineer.
Comments