Blog | 3-minute Read

Striking OilRig: Drilling into APT34's latest threats and defence strategies

Ellis Southan

Threat Detection Engineer

Published: 29 October 2024

APT34, aka OilRig, is intensifying attacks on critical infrastructure and industries. This article covers their latest tactics and offers strategies for security teams to defend effectively.

For more than a decade, APT34, also known as OilRig, has been on the global radar as an Advanced Persistent Threat (APT) group with suspected ties to the Iranian government. Since 2014, they’ve been relentlessly targeting high-risk sectors like financial institutions, energy companies, telecommunications, and critical national infrastructure (CNI).

While their main focus has been the Gulf region, their ambitions have expanded, with attacks reaching Europe and the USA.

Recent industry intelligence shows that APT34 is escalating efforts against CNI and government resources. As their tactics evolve, it’s crucial for security operations (SOC) teams to stay one step ahead, keeping defences adaptable and proactive to counter these growing threats.

New tactics and evolving campaigns

APT34 have been adapting their methods, continually evolving to stay ahead of security defences. Below, we outline some of their latest tactics and how they’re enhancing their capabilities.

Targeting critical infrastructure

APT34 is increasing its focus on high-value targets, particularly critical infrastructure in the Gulf region.

They’ve intensified campaigns targeting key infrastructure sectors like energy and government resources, reflecting an escalated intent to disrupt crucial operations.

Using web shells for initial access

APT34 uses web shells as a gateway into target networks, leveraging server vulnerabilities.

Their recent campaigns exploit vulnerable web servers to deploy web shells, allowing remote control and providing a persistent foothold within the compromised environment.

Leveraging PowerShell for stealthy movement

APT34 relies on PowerShell to blend into legitimate administrative activity within networks.

Once they gain a foothold, APT34 uses PowerShell to move laterally, taking advantage of its legitimacy as a powerful system tool to avoid detection by traditional security measures.

Exploiting the CVE-2024-30088 vulnerability

APT34 quickly adapts to leverage new vulnerabilities, such as CVE-2024-30088, for privilege escalation.

This vulnerability allows them to escalate their privileges to SYSTEM level, giving them full control over affected systems. Despite a patch being available since June 2024, many organisations remain vulnerable.

StealHook backdoor and evolving credential theft tactics

APT34’s credential theft techniques have evolved from DLL-based password capture to sophisticated backdoors.

They have moved from using a password-filter DLL for capturing plaintext passwords to deploying the StealHook backdoor, which targets Microsoft Exchange servers to harvest credentials and exfiltrate data stealthily.

Social engineering through LinkedIn

APT34 continues to use social engineering, often targeting professionals via LinkedIn.

They create fake profiles to impersonate recruiters or professionals, using convincing tactics to trick targets into clicking malicious links or opening compromised documents.

APT34 have been adapting their methods, continually evolving to stay ahead of security defences.

Ellis Southan, Threat Detection Engineer, Kocho

Keep pace with the latest security threats

How security teams can defend against APT34

To effectively combat APT34, security teams need to understand and address their evolving tactics with a proactive and layered defence strategy.

Patch, patch, patch

The exploitation of CVE-2024-30088 underscores the importance of staying current with software updates.

Security teams should prioritise applying patches as soon as they’re released, especially those marked as high severity, to reduce the risk of attackers using known vulnerabilities to gain access.

Monitor PowerShell activity closely

PowerShell is a valuable tool for IT administrators, but it’s also a favourite for attackers due to its capabilities and legitimacy.

Set up monitoring to detect unusual PowerShell usage—especially scripts that appear obfuscated or commands attempting to download external files. These can often be early indicators of malicious activity.

Strengthen defences on public-facing web servers

Web shells are a common method for gaining initial access, often through exploiting vulnerable public-facing web applications.

Regular vulnerability assessments and penetration testing can help identify and address weaknesses in your external web infrastructure before attackers can exploit them. Additionally, implementing Web Application Firewalls (WAFs) can help prevent malicious requests from reaching your servers.

Secure Exchange servers and email communications

Given APT34’s focus on Microsoft Exchange servers, it’s crucial to harden these environments.

Apply the latest patches, restrict unnecessary access, and enable multi-factor authentication (MFA) for all administrative accounts. Monitoring email activity for anomalies can also help detect early signs of compromise, such as unauthorised logins or unusual data transfers.

Educate users on social engineering risks

APT34’s use of LinkedIn to conduct phishing campaigns highlights the importance of user education.

Conduct regular training sessions to make users aware of social engineering tactics, including suspicious job offers or unsolicited messages. Teaching users to spot the signs of phishing can add a crucial layer of defence.

Establish a robust incident response plan

Even with strong defences, breaches can still happen. Having a well-prepared incident response plan ensures that your organisation can react quickly to contain and mitigate an attack.

This plan should include detailed steps for identifying the scope of an incident, isolating affected systems, and restoring operations while keeping stakeholders informed.

In summary

APT34 remains a highly active and adaptable adversary, evolving their tactics to focus more on critical infrastructure and key sectors across the Gulf, Europe, and the United States.

Understanding their attack techniques, from exploiting vulnerabilities like CVE-2024-30088 to using social engineering through LinkedIn, can help security teams develop effective defences.

By prioritising patch management, monitoring PowerShell and email systems, and training employees on social engineering, organisations can stay ahead of APT34’s tactics.

Remember, resilience in cybersecurity isn’t just about having the right tools. It’s about having the right strategy to detect, defend, and respond to ever-evolving threats.

Key takeaways

APT34 is targeting critical infrastructure, primarily focused on the Gulf region but also reaching into Europe and the USA.
APT34’s sophisticated campaigns use web shells for initial access and leverage PowerShell for stealthy movement, making detection challenging.
APT34 exploits vulnerabilities like CVE-2024-30088 for privilege escalation, making prompt patching critical.
Credential theft methods now include the StealHook backdoor, targeting Exchange servers.
Social engineering via LinkedIn remains a key tactic, highlighting the need for user training.
Vulnerability assessments and pen testing are vital to finding entry points before attacks.
A solid incident response plan helps contain APT34 attacks and speed up recovery.

Want to know more?

If you’d like to understand more about how Kocho SecOps provides continual monitoring, proactive threat hunting, and rapid response to emerging incidents, reach out to our team for a detailed consultation.

And please join our mailing list for the latest cyber security news, technology updates, and regular tips to keep protected against advanced threats.