Show vulnerabilities with patch / with exploit
20 February 2020

Iranian hacking campaign backdoors corporate networks via enterprise VPN servers


Iranian hacking campaign backdoors corporate networks via enterprise VPN servers

Over the last three years dozens of companies working across IT, telecoms, oil and gas, aviation and defense industries have been targeted in a worldwide hacking campaign focused on reconnaissance and planting backdoors to create a “long-lasting foothold” in the target companies. The attacks involved some of the enterprise VPN vulnerabilities disclosed last year, a new ClearSky research report reveals.

The researchers believe the campaign which they call “Fox Kitten Campaign” is most likely the effort of three Iran-linked APT groups - APT33 (Elfin), APT34 (OilRig) and APT39 (Chafer).

Last year, Iranian groups were quick to make use of vulnerabilities disclosed in the Fortinet FortiOS VPN (CVE-2018-13379), the Pulse Secure "Connect" VPN (CVE-2019-11510) and Palo Alto Networks "Global Protect" VPN (CVE-2019-1579). The attacks against these systems took place last summer but they have also continued it in 2020.

“Upon gaining a foothold at the target, the attackers tried to maintain the access to the networks by opening a variety of communication tools, including opening RDP links over SSH tunneling, in order to camouflage and encrypt the communication with the targets,” the report noted.

The researchers say that the attackers used campaign infrastructure to develop and maintain access routes to the targeted organizations, steal valuable data, maintain long-lasting foothold on the targeted systems and to compromise other companies via supply-chain attacks.

To conduct the attacks threat actors used a variety of tools, mainly open-source code-based, but some of them was custom-made malware, such as:

STSRCheck – self-development databases and open ports mapping tool.

POWSSHNET – self-Developed Backdoor malware – RDP over SSH Tunneling.

VBScript – download TXT files from the command-and-control (C2 or C&C) server and unify these files to a portable executable file.

Socket-based backdoor over cs.exe – an exe file used to open a socket-based connection to a hardcoded IP address.

Port.exe – tool to scan predefined ports an IP’s

“Iranian APT groups have developed good technical offensive capabilities and are able to exploit 1-day vulnerabilities in relatively short periods of time, starting from several hours to a week or two,” the report noted.

While the goal of this campaign seems to be reconnaissance, there’s a concern that the same attack infrastructure could be used in the future to spread destructive malware like ZeroCleare and Dustman, which has been previously linked to APT34.

 

Back to the list

Latest Posts

Vulnerability summary for the week: April 3, 2020

Vulnerability summary for the week: April 3, 2020

Weekly vulnerability digest.
3 April 2020
Someone’s wiped out over 15,000 unprotected Elasticsearch servers

Someone’s wiped out over 15,000 unprotected Elasticsearch servers

The attacks have started around March 24 and appear to be carried out using an automated script.
3 April 2020
DarkHotel hackers exploited flaws in Firefox and IE in attacks on China, Japan

DarkHotel hackers exploited flaws in Firefox and IE in attacks on China, Japan

In the attacks the hackers downloaded the Gh0st RAT on victims' machines.
3 April 2020