Earth Simnavaz (APT34) Targeting UAE and Gulf Regions

Type

Campaign

Actors

APT34

Pub. date

October 11, 2024

Initial access

1-day vulnerability

Impact

Data exfiltration

Observed techniques

Vulnerability exploitation Credential theft

Observed tools

ngrok

Targeted technologies

Microsoft Exchange

References

https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html

Status

Finalized

Last edited

Oct 14, 2024 11:28 AM

Researchers at Trend Micro identified cyberattacks by Earth Simnavaz (also known as APT34 or OilRig), targeting UAE and Gulf region entities. The group exploits vulnerabilities, including CVE-2024-30088, to escalate privileges and deploy backdoors via Microsoft Exchange servers. Using tools like .NET malware, PowerShell scripts, and IIS-based threats, they aim to steal sensitive credentials and maintain persistence. The attackers leverage the remote management tool ngrok for covert control, posing ongoing risks to governmental and critical sectors.