Advanced Cyberattacks Against UAE and Gulf Regions

Oct. 14, 2024, 10:46 a.m.

Description

Earth Simnavaz, also known as APT34 and OilRig, has been actively targeting governmental entities in the UAE and Gulf region. The group employs sophisticated tactics, including a backdoor that exploits Microsoft Exchange servers for credential theft and the use of CVE-2024-30088 for privilege escalation. Their arsenal includes customized .NET tools, PowerShell scripts, and IIS-based malware designed to blend with normal network traffic. The attackers focus on exploiting vulnerabilities in key infrastructure of geopolitically sensitive areas, aiming to establish persistent footholds in compromised entities for potential future attacks. Recent activities show an escalation in cyber espionage efforts, particularly against critical sectors in the UAE, highlighting the ongoing threat posed by state-sponsored actors to national security and economic stability.

External References

https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html
https://otx.alienvault.com/pulse/670cf0b161e59cc1e3124ea6
Tags
cyber espionage
credential theft
oilrig
CVE-2024-30088
privilege escalation
microsoft exchange
2024-10-14
apt34
stealhook
iis malware
gulf region
uae

Date

  • Created: Oct. 14, 2024, 10:21 a.m.
  • Published: Oct. 14, 2024, 10:21 a.m.
  • Modified: Oct. 14, 2024, 10:46 a.m.

Indicators

  • edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef
  • db79c39bc06e55a52741a9170d8007fa93ac712df506632d624a651345d33f91
  • ca98a24507d62afdb65e7ad7205dfe8cd9ef7d837126a3dfc95a74af873b1dc5
  • c0189edde8fa030ff4a70492ced24e325847b04dba33821cf637219d0ddff3c9
  • b3257f0c0ef298363f89c7a61ab27a706e9e308c22f1820dc4f02dfa0f68d897
  • af979580849cc4619b815551842f3265b06497972c61369798135145b82f3cd8
  • abfc8e9b4b02e196af83608d5aaef1771354b32c898852dff532bd8cfd2ce59d
  • 98fb12a9625d600535df342551d30b27ed216fed14d9c6f63e8bf677cb730301
  • a24303234e0cc6f403fca8943e7170c90b69976015b6a84d64a9667810023ed7
  • 7ebbeb2a25da1b09a98e1a373c78486ed2c5a7f2a16eec63e576c99efe0c7a49
  • 6e4f237ef084e400b43bc18860d9c781c851012652b558f57527cf61bee1e1ef
  • 6d8bdd3e087b266d493074569a85e1173246d1d71ee88eca94266b5802e28112
  • 54e8fbae0aa7a279aaedb6d8eec0f95971397fea7fcee6c143772c8ee6e6b498
  • 43c83976d9b6d19c63aef8715f7929557e93102ff0271b3539ccf2ef485a01a7
  • 27a0e31ae16cbc6129b4321d25515b9435c35cc2fa1fc748c6f109275bee3d6c
  • 1d2ff65ac590c8d0dec581f6b6efbf411a2ce5927419da31d50156d8f1e3a4ff
  • 1169d8fe861054d99b10f7a3c87e3bbbd941e585ce932e9e543a2efd701deac2
Download all indicators here!

Attack Patterns

  • STEALHOOK
  • Earth Simnavaz
  • T1021.006
  • T1505.003
  • T1547.008
  • T1059.001
  • T1567
  • T1114
  • T1095
  • T1204.002
  • T1219
  • T1140
  • T1190
  • T1133
  • T1078
  • T1003

Additional Informations

  • Energy
  • Government
  • United Arab Emirates

Linked vulnerabilities

CVE-2024-30088

7.0
    Windows Kernel
Published: June 11, 2024