Iranian Hackers Exploited Enterprise VPN Flaws in Major Campaign
Infamous Iranian hacking groups APT33 and APT34 appear to have been working together for the past three years to compromise dozens of organizations worldwide, and their attacks involved some of the enterprise VPN vulnerabilities disclosed last year, ClearSky reports.
Believed to be backed by the Iranian government, APT33 (also called Refined Kitten, Elfin, Magnallium and Holmium) and APT34 (also referred to as OilRig and Greenbug) are known for their cyber-espionage activities targeting various entities in the Middle East, the United States, Europe, and Asia.
Since 2017, the two groups likely collaborated as part of an offensive campaign targeted at numerous companies and organizations from the IT, telecommunications, oil and gas, aviation, government, and security sectors around the world, ClearSky says in a new report (PDF).
The activity, which Dragos recently referred to as Parisite and which ClearSky tracks as the Fox Kitten Campaign, also shows connections with APT39 (also tracked as Chafer), an Iran-based group mainly targeting the telecommunications and travel industries.
The campaign, ClearSky says, focused on gaining and maintaining access to the targeted organizations’ networks, stealing valuable information, establishing a long-lasting foothold at the targeted organizations, and breaching additional companies through supply-chain attacks.
Numerous open-source and self-developed offensive tools were used as part of the operation, along with known security flaws in enterprise VPN services from Pulse Secure, Fortinet and Palo Alto Networks.
These vulnerabilities include CVE-2019-11510 (arbitrary file reading in Pulse Secure), CVE-2018-13379 (system file download in Fortinet FortiOS), and CVE-2019-1579 (arbitrary code execution in Palo Alto Networks VPN). The NSA and the UK’s National Cyber Security Centre (NCSC) warned last year that state-sponsored APTs had been exploiting these flaws.
Following the initial compromise, the attackers deploy tools to maintain access — including opening RDP links over SSH tunneling to hide and encrypt traffic — and to download and execute additional malware to establish their foothold in the network.
“The attackers have performed a routine process of identification, examination, and filtering of sensitive, valuable information from every targeted organization. The valuable information was sent back to the attackers for reconnaissance, espionage, or further infection of connected networks,” ClearSky reveals.
Self-developed tools employed in the Fox Kitten campaign include STSRCheck (databases and open ports mapping tool), POWSSHNET (backdoor), VBScript (downloads TXT files from the C&C server and unifies them to a portable executable), a socket-based backdoor, and port.exe (scans predefined ports and IPs).
Open source-based tools the attackers adjusted to their use include Invoke the Hash (PowerShell commands to perform “Pass the Hash” methods), and JuicyPotato (a local privilege escalation tool).
Moreover, the hackers employed seemingly legitimate tools in their attacks, including Ngrok, FRP, Serveo (free command and control protocol), and Putty and Plink (remote services).
ClearSky’s security researchers reveal that, throughout the observed attacks, the hackers did not employ a specific pattern to escalate privileges, steal credentials, move laterally, and ensure persistence.
The main purpose of the campaign, the researchers say, appears to have been information theft. In this regard, the hackers connected through RDP, identified relevant files, and exfiltrated them using POWSSHNET, a socket-based backdoor, and webshells. The hackers also employed three public tools for reverse proxy and SSH forwarding purposes, namely Ngrok, Servo, and FRP.
“The Fox Kitten campaign is a continuous campaign operated, with high probability, by state-sponsored Iranian APT groups whose purpose is espionage against numerous companies mainly in the sectors of IT, defense, electricity, oil and gas and aviation companies,” ClearSky notes.
The researchers observed two main attack waves that compromised companies in Israel, USA, Saudi Arabia, Lebanon, Kuwait, UAE, Australia, France, Poland, Germany, Finland, Hungary, Italy and Austria.
Previously, security researchers revealed connections between various Iran-linked hacking groups, based on the reuse of infrastructure and malicious code, but it appears that the collaborative efforts between at least some of them might run deeper.
“We attribute the ‘Fox Kitten’ campaign, with medium-high confidence, to the APT34 group, and with medium confidence to the APT33 and APT39 groups, and we assess that there is a cooperation between the groups in infrastructure and possible beyond that,” ClearSky’s researchers say.