The OilRig APT commonly uses social engineering tactics, exploits software and technical vulnerabilities within its victims. However, Kaspersky experts noticed the group has updated their arsenal, resorting to persistent, stealthier ways of infiltrating their targets through third-party IT companies.
During an ongoing investigation that started in late 2022, Kaspersky experts discovered that the APT group has executed PowerShell scripts to gain access to terminal servers at IT companies in the region to collect credentials and sensitive data about their targets. The group used the stolen information to infiltrate their targets and deploy malware samples that relied on Microsoft Exchange Web Services to perform Command & Control (C2) communications, and steal data. The investigated malware appeared to be a variant of an older malware used by the threat actor.
To ensure persistent stealthy access, the group deployed a new DLL-based password filter, which enabled them to intercept local/domain password changes. This allowed the attackers to receive updated passwords along with other stolen and sensitive data sent from their targets’ email services to attacker-controlled Protonmail and Gmail addresses.
“OilRig has taken the meaning of “stealth mode” to the next level with its complex and heavily modified tactics, techniques, and procedures to exploit third-party IT companies. It is evident from our investigation that third-party attacks are stealthier, agile and remain undetected in comparison to other tactics, posing a grave risk to the functioning of government entities in this region. The radical shift to infiltrate IT companies that are part of a supply chain is an indication that regional government entities are stepping up their cybersecurity game, driving APT groups to think out of the box” said Maher Yamout, Senior Security Researcher at Kaspersky.
Kaspersky researchers recommend governments and businesses follow the below tips and protect themselves from falling victim to third-party supply chain attacks:
· Invest and build a holistic, well-integrated cybersecurity approach that protects data and assets beyond the parameters of your organization.
· Leveraging Threat Intelligence is key. Using solutions like the Kaspersky Threat Intelligence Portal can equip IT teams with real-time data and insights and provide access to a rich source of expertise to build a strong defense.
· Your cyber defense is as strong as your employees, who are considered the first line of defense. Arm them with the right knowledge through solutions like the Kaspersky Automated Security Awareness Platform that automates cyber-awareness training for companies of any size.
· Backup your data regularly and scan it from time to time to maintain integrity.