Global breach of Iranian Hackers on Backdoor Enterprise VPN Flaws

In the past 3 years, state-sponsored hackers in Iran have exploited many enterprises in Israel and all over the world, say cybersecurity researchers.

Iranian Espionage-Offensive Campaign, dubbed ‘Fox Kitten’ is accused of directing at organisations from telecommunication, IT, government, Aviation, oil and gas, as well as security sectors.

ClearSky researchers reported that this campaign is one of the most comprehensive and continuous campaigns so far. Precisely, this campaign served as a platform to activate and disseminate destructive malware like Dustman and ZeroCleare.

Tethering the activities to Iranian hacking groups APT33, APT34, and APT39, they have compromised many organizations via attacking VPN vulnerabilities. Researchers say, these threat groups also facilitated other groups in stealing sensitive information and in employing supply-chain attacks.

Compromising Corporate Networks via VPN Flaws

The very first attack vector installed by the Iranian groups was the manipulation of unpatched VPN vulnerabilities of targeted companies to penetrate and steal their sensitive information. The well-known VPN systems that were exploited include Palo Alto Networks’ Global Protect (CVE-2019–1579), Pulse Secure Connect (CVE-2019–11510), Citrix (CVE-2019–19781), and Fortinet FortiOS (CVE-2018–13379).

Iranian hackers backed by the state, using developed technical offensive abilities, acquired access to core systems of their target, dropped malware, and spread this all across the network, says ClearSky. UAE is among the targets of these Iranian hackers. Among 50 companies targeted by hackers in Iran include various institutions of UAE.

The successful initial foothold of hackers allowed the compromised systems to maintain communication within the target network via command-and-control (C2) servers. This allowed the compromised systems to download numerous custom VBScript files that were used to plant backdoor organisations afterwards.

For the execution of these tasks and to sustain persistence, Iranian threat groups used tools like ‘Invoke the Hash’ and ‘Juicy Potato’ for accomplishing advanced privileges as well as to move throughout the network laterally. Hackers also developed other tools that include Port.exe and STSRCheck.

Not only this, Iranian hackers deployed web shells to communicate with the internal servers of targeted systems as well as to upload files into the C2 server directly.

Multiple Iranian Hackers Working as Group

Three Iranian groups, namely APT34 (“OilRig”), APT33 (“Elfin”), and APT39 (Chafer), are majorly involved in the attacks reported against the VPN servers. Besides, researchers stated that this offensive campaign is the outcome of growing collaboration among the groups involved in infrastructure. Many similarities have been cited in the work methods and tools used by the three attacking groups.

As long as hackers are exploiting VPN flaws within 24 hours, organisations are strictly advised to install effective security patches in their network systems.

Apart from the principle of least privilege, it is crucial to ensure that critical systems are being monitored continually, in addition, should be kept updated. Implementation of two-step authentication can be beneficial to minimise unauthorised logins in the system.