Iranian hackers have been hacking VPN servers to plant backdoors in companies around the world
Iran-linked attackers targeted Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs to hack into large companies as part of the Fox Kitten Campaign.
During the last quarter of 2019, experts from security firm ClearSky uncovered a hacking campaign tracked as Fox Kitten Campaign that is being conducted in the last three years.
The campaign targeted dozens of companies and organizations in Israel and around the world, experts pointed out that the most successful and significant attack vector used by the Iranian hackers was the exploitation of unpatched VPN and RDP services.
Iran-linked hackers have targeted companies from different sectors, including IT, Telecommunication, Oil, and Gas, Aviation, Government, and Security”
“This attack vector is not used exclusively by the Iranian APT groups; it became the main attack vector for cybercrime groups, ransomware attacks, and other state-sponsored offensive groups.” reads the report published by ClearSky.
“We assess this attack vector to be significant also in 2020 apparently by exploiting new vulnerabilities in VPNs and other remote systems (such as the latest one existing in Citrix). Iranian APT groups have developed good technical offensive capabilities and are able to exploit 1-day vulnerabilities in relatively short periods of time, starting from several hours to a week or two.”
Experts explained that Iranian hackers have focused their interest in 1-day flaws and developed a significant capability in developing working exploits for them that were employed in their operations.
ClearSky confirms that Iranian APT groups in some cases exploited VPN vulnerabilities within hours after their public disclosure.
The investigation Fox Kitten Campaign revealed an overlap, with medium-high probability, between the infrastructure used by the attackers and the one associated to attacks carried out by other Iran-linked APT groups, such as APT34, the APT33, and APT39.
In 2019, Iran-linked APT groups were able to quickly exploit the vulnerabilities in the Pulse Secure “Connect” VPN (CVE-2019-11510), the Fortinet FortiOS VPN (CVE-2018-13379), and Palo Alto Networks “Global Protect” VPN (CVE-2019-1579).
The attacks exploiting the above issued were initially detected at the end of August, recently Iran-linked hackers also employed exploits for CVE-2019-19781Citrix “ADC” VPN flaw in their attacks.
Attackers exploit the VPN flaws to access the enterprise networks, infect systems with a backdoor and from them make move laterally to compromise other computers on the internal network.
After the attackers have exploited vulnerabilities in the VPN systems to breach in the target network, they perform several actions and used multiple tools to maintain their foothold in the network with high privileges.
The list of privilege escalation tools used by hackers includes ‘Juicy Potato,’ Procdump, Mimikatz, and Sticky Keys.
The threat actors also used legitimate software like Putty, Plink, Ngrok, Serveo, or FRP in their attacks.
ClearSky also reported the use of the following custom-made malware:
- STSRCheck – Self-development databases and open ports mapping tool.
- POWSSHNET – Self-Developed Backdoor malware – RDP over SSH Tunneling.
- VBScript – download TXT files from the command-and-control (C2 or C&C) server and unify these files to a portable executable file.
- Socket-based backdoor over cs.exe – An exe file used to open a socket-based connection to a hardcoded IP address.
- Port.exe – tool to scan predefined ports an IP’s
The attacks part of the Fox Kitten Campaign observed by ClearSky aimed that gather information on the target networks and plant backdoors, but experts fear that once inside the target infrastructure the hackers could use data wiper (i.e. ZeroCleare and Dustman) in future attacks.
Further technical details on the Fox Kitten Campaign, including indicators of compromise (IOCs), are reported in the analysis published by ClearSky.