An advanced persistent threat (APT) group, Earth Simnavaz, aka APT34 and OilRig, is ramping up its activities. It is primarily targeting the energy sector, government agencies, and other critical infrastructure, with a sharp focus on the United Arab Emirates (UAE) and neighbouring Gulf countries.
APT34 has developed a notorious reputation for conducting cyber espionage campaigns in geopolitically sensitive regions. Their tactics, techniques, and procedures (TTP) have evolved, making their operations more difficult to detect and counter.
As researchers found out, the group’s latest efforts highlight their persistent strategy of exploiting vulnerabilities to infiltrate high-value targets, exfiltrate sensitive data, and maintain long-term access to compromised systems.
“This new backdoor facilitates the exfiltration of sensitive credentials, including accounts and passwords, through on-premises Microsoft Exchange servers. Such tactics not only reflect the group’s evolving methodologies but also highlight the persistent threat posed to organizations reliant on these platforms,” researchers noted.
One of the key developments in Earth Simnavaz’s recent campaign is the deployment of a newly discovered backdoor closely resembling malware associated with the group’s previous attacks. This backdoor enables attackers to steal sensitive credentials, such as passwords and account information, from compromised on-premises Microsoft Exchange servers.
The APT has also been observed abusing the password filter policy on compromised systems to extract plaintext passwords. By manipulating the password validation process, attackers can capture credentials each time a user updates their password, significantly compromising the security of targeted environments.
In addition, the group has exploited the CVE-2024-30088 vulnerability in Windows systems to escalate privileges, allowing them to execute malicious code with SYSTEM-level access. This vulnerability, patched in June, remains a key weapon in the group’s toolkit, facilitating lateral movement and deeper infiltration into networks.
Researchers observed a worrying trend while analysing this group. Earth Simnacaz has integrated the remote monitoring and management (RMM) tool grok into its operations. While ngrok is a legitimate tool for creating secure tunnels, the group has repurposed it for malicious use, leveraging it to maintain persistence and facilitate command-and-control (C&C) operations.
This enables attackers to bypass firewalls and other network security measures, allowing them to exfiltrate data and retain control over compromised systems covertly.
Experts revealed that the group employed ngrok after gaining initial access through a web shell uploaded to vulnerable servers. Once inside the network, Earth Simnavaz used PowerShell scripts to download and install the RMM tool, establishing a secure tunnel to their command servers.
A key aspect of Earth Simnavaz’s operation involves exploiting Microsoft Exchange servers to steal user credentials. By registering a malicious password filter DLL on domain controllers, the group can capture plaintext passwords from users, furthering their ability to compromise sensitive accounts and maintain control over the affected systems.
The stolen credentials are then used to exfiltrate data through legitimate email channels, often sending the data as attachments to accounts controlled by the attackers.
This tactic increases the likelihood of a successful attack and complicates detection efforts, as the malicious traffic blends in with regular network activity.
Researchers also discovered that Earth Simnavaz’s recent activity has overlapped with another Iranian APT group, FOX Kitten. Both groups share similar tactics and have been linked to ransomware attacks targeting organisations in the U.S. and the Middle East.
The close alignment between these two groups raises concerns about the potential for more coordinated and impactful attacks, especially as both exploit Microsoft Exchange servers and use tools like ngrok to carry out their operations.
“Intelligence-driven incident response will be essential in effectively managing and mitigating these attacks. While the group’s techniques haven’t evolved drastically, implementing a Zero Trust architecture, alongside mature SOC, EDR, and MDR capabilities, can greatly enhance defensive measures against threats like that posed by Earth Simnavaz,” researchers concluded.
In the News: Steam clarifies that gamers only buy licenses, not full ownership
