Iranian hackers use Windows holes to attack critical Gulf and Emirates systems
In addition, the blog noted, OilRig has been using a remote monitoring and management (RMM) tool known as ngrok in their operations.
Sensitive data exfiltration through Windows hacks
The recent cyberattacks have been linked to the exploitation of a vulnerable web server (public-facing applications) through a web shell that enabled attackers to execute PowerShell code and transfer files. The initial access allowed the threat actors to establish a foothold within the network, from where they downloaded the remote management tool ngrok to facilitate lateral movement.
Their primary target was the Domain Controller, a server managing permissions within a Windows domain, which they reached by exploiting CVE-2024-30088, a Windows Kernel Elevation of Privilege vulnerability, according to Trend Micro. The attackers used an exploit binary, loaded via the open-source RunPE-In-Memory tool, to escalate privileges and strengthen their control over the system.