By LBT Technology Group, LLC. on Thursday, 17 October 2024
Category: Security

Windows Kernel vulnerability used in espionage campaign

Threat update

 Researchers have observed the well-known cyber espionage group OilRig exploiting a now-patched privilege escalation vulnerability (CVE-2024-30088) in the Windows Kernel to conduct espionage operations. Read this Cybersecurity Threat Advisory to learn more about the espionage campaign and how to avoid becoming a victim of the campaign.

Technical Detail and Additional Info

What is the threat?

The espionage campaign starts with attackers exfiltrating credentials from Microsoft Exchange servers. Once the attacker gains access, the privilege escalation vulnerability is exploited to promote administrative privileges. This enables the attacker to install and execute STEALHOOK and other malicious payloads with elevated access rights. They can then maintain control over the compromised machine(s), establish persistence, and exfiltrate data without interruption. It was observed that OilRig leverages elevated privilege to drop psgfilter.dll, which is a password filter policy DLL. This file allows them to further extract sensitive credentials and deploy more tools remotely. 

Why is it noteworthy?

The backdoor, dubbed STEALHOOK, is used to maintain persistent access and exfiltrate sensitive data. It is designed to evade detection to perform various malicious activities, including exfiltrating files, credentials, and other sensitive information from compromised systems. Attackers can remotely control the compromised system and execute commands and provides lateral movement to other systems within the network.

What is the exposure or risk?

OilRig's primary objective is espionage, with high motivation to steal sensitive data. This includes confidential business information, intellectual property, government secrets, and personal data. Gaining full control of a system allows them to install additional malware, disrupt operations, and launch further attacks. Lateral movement capabilities can lead to widespread network compromise, impacting critical infrastructure and services.

What are the recommendations?

 LBT Technology Group recommends the following actions to protect your infrastructure against this threat actor:


References

 For more in-depth information about the recommendations, please visit the following links:


If you have any questions, please contact LBT's Sales Engineer.

Related Posts

Leave Comments