Full Report
Researchers at Trend Micro identified cyberattacks by Earth Simnavaz (also known as APT34 or OilRig), targeting UAE and Gulf region entities. The group exploits vulnerabilities, including CVE-2024-30088, to escalate privileges and deploy backdoors via Microsoft Exchange server...
Analysis Summary
# Threat Actor: Earth Simnavaz
## Attribution & Identity
* **Primary Name:** Earth Simnavaz
* **Known Aliases:** APT34, OilRig
## Activity Summary
Trend Micro researchers identified recent cyberattacks attributed to Earth Simnavaz targeting entities within the UAE and the broader Gulf region. The group is observed exploiting vulnerabilities for initial access, leading to privilege escalation and the deployment of backdoors on compromised Microsoft Exchange servers.
## Tactics, Techniques & Procedures
* **Vulnerability Exploitation:** Exploiting flaws such as CVE-2024-30088.
* **Privilege Escalation:** Actions taken to gain higher-level access post-exploitation.
* **Initial Access Vector:** Targeting and exploiting vulnerabilities in Microsoft Exchange servers.
* **Credential Theft:** Stealing user credentials.
* **Persistence:** Utilizing various methods to maintain access.
* **Covert Control:** Employing specific tools for command and control.
* **Associated Techniques:** Use of PowerShell scripts, .NET malware, and IIS-based threats.
## Targeting
* **Sectors:** Governmental sectors and critical sectors.
* **Geography:** UAE and Gulf region entities.
* **Victims:** Entities within the UAE and Gulf region.
## Tools & Infrastructure
* **Malware Families Used:** .NET malware.
* **Infrastructure/Tools:**
* ngrok (used for covert remote management/C2)
* PowerShell scripts
* IIS-based threats
## Implications
Earth Simnavaz poses a persistent and significant threat to regional governmental and critical infrastructure organizations due to their proven ability to exploit zero-day/recently disclosed vulnerabilities (like CVE-2024-30088) to gain deep access via widely used enterprise infrastructure (Microsoft Exchange). Their objective is likely espionage and data exfiltration, indicated by credential theft activities.
## Mitigations
* Prioritize patching and mitigating identified vulnerabilities, especially CVE-2024-30088, on all Microsoft Exchange deployments immediately.
* Monitor for anomalous activity indicative of PowerShell script execution or unauthorized use of IIS components.
* Implement robust network monitoring to detect and block communication associated with remote management tools like ngrok.
* Strengthen credential hygiene and monitor for credential theft activities across the network perimeter.