Iranian hackers use Windows holes to attack critical Gulf and Emirates systems

In addition, the blog noted, OilRig has been using a remote monitoring and management (RMM) tool known as ngrok in their operations.

Sensitive data exfiltration through Windows hacks

The recent cyberattacks have been linked to the exploitation of a vulnerable web server (public-facing applications) through a web shell that enabled attackers to execute PowerShell code and transfer files. The initial access allowed the threat actors to establish a foothold within the network, from where they downloaded the remote management tool ngrok to facilitate lateral movement.

Their primary target was the Domain Controller, a server managing permissions within a Windows domain, which they reached by exploiting CVE-2024-30088, a Windows Kernel Elevation of Privilege vulnerability, according to Trend Micro. The attackers used an exploit binary, loaded via the open-source RunPE-In-Memory tool, to escalate privileges and strengthen their control over the system.