Photo credit: www.csoonline.com
Recent investigations have uncovered that the cyber incidents involving OilRig can be traced back to their use of a remote monitoring and management (RMM) solution called ngrok, which played a significant role in their operations.
Sensitive data exfiltration through Windows vulnerabilities
These cyberattacks have shown a clear pattern of exploiting unprotected web servers that host public-facing applications. Attackers leveraged a web shell to execute PowerShell scripts and move files, which gave them initial access to the network. This breach allowed attackers to download ngrok, facilitating their lateral movement across the system.
A key focus for these threat actors was the Domain Controller—a critical server responsible for managing permissions within a Windows domain. Their entry point was linked to the exploitation of CVE-2024-30088, a vulnerability associated with Windows Kernel Elevation of Privilege, as reported by Trend Micro. By deploying an exploit binary via the open-source tool RunPE-In-Memory, the attackers successfully escalated their privileges, thereby solidifying their control over the compromised system.
Source
www.csoonline.com