Iran Backdoors ‘Dozens’ of Companies via VPN 1-Day Vulnerabilities

A report claims government-backed Iranian groups have been hacking companies around the world. Exploiting newly disclosed bugs in VPNs, they’ve been inserting sophisticated, hard-to-find backdoors.

It’s been going on for at least three years, say the researchers. Industrial and political espionage seems to be the point of it all.

“Fox Kitten” is the obligatory codename for the VPN backdoor hacking campaign. In today’s SB Blogwatch, we overload on cute.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Fox vs. Kitten.

Persian, Perhaps

What’s the craic? Catalin Cimpanu reports—“Iranian hackers … plant backdoors in companies around the world”:

 A new report published today reveals that Iran’s government-backed hacking units have made a top priority last year to exploit VPN bugs as soon as they became public in order to infiltrate and plant backdoors in companies all over the world, [sometimes] within hours after the bugs been publicly disclosed. … Iranian groups were quick to weaponize vulnerabilities disclosed in the Pulse Secure “Connect” VPN … Fortinet FortiOS … Palo Alto Networks “Global Protect” [and] Citrix “ADC.”

While the first stage (breaching) of their attacks targeted VPNs, the second phase (lateral movement) involved a comprehensive collection of tools and techniques, showing just how advanced these Iranian hacking units have become in recent years. … The purpose of these attacks appears to perform reconnaissance and plant backdoors for surveillance operations.

Iranian groups also appear to be collaborating and acting as one, something that has not been seen in the past. [It appears] to be the work of at least three Iranian groups – namely APT33 (Elfin, Shamoon), APT34 (Oilrig), and APT39 (Chafer).

We can expect that Iranian hackers will most likely target SonicWall SRA and SMA VPN servers in the future after earlier this week security researchers have published details about six vulnerabilities impacting these two products.

And Davey Winder adds—“This Is What An Iranian Cyber Attack Looks Like”:

 Ever since the 2010 Stuxnet worm attack on the Natanz nuclear plant that was eventually attributed to the U.S. and Israeli governments, Iran has been taking “cyber” seriously. … Much of this activity is aimed at the U.S. and Israel, and … attributed to state-sponsored hacking groups.

An Iranian espionage campaign, targeting various industry sectors in both the U.S. and Israel, has been ongoing for the last three years, [gaining] a persistent foothold within … organizations in the aviation, government, IT, oil and gas, security and telecommunications sectors. … While it has, so far, been used [for] espionage and reconnaissance … it also can deliver destructive malware.

Both VPN and RDP exploits [were] used to infiltrate and then gain control of critical data storage by the Iranian hacker groups. [The] news should be a wake-up call to … every organization, and not only those in the crosshairs of Iranian state-sponsored attack groups.

Who found it? Ohai, Ohad Zaidenberg at ClearSky—“Fox Kitten Campaign”:

 We estimate the campaign revealed in this report to be among Iran’s most continuous and comprehensive campaigns revealed until now. [The] APT groups have succeeded to penetrate and steal information from dozens of companies around the world.

The initial breach of the targeted organizations was performed, in most cases, by exploiting 1-day vulnerabilities in different VPN services. … Upon gaining foothold at the target, the attackers tried to maintain the access to the networks by opening a variety of communication tools, including opening RDP links over SSH tunneling.

Iranian APT groups [are] focusing on IT companies that provide wide range of services to thousands of companies. Breaching those IT companies is especially valuable, because through them one can reach the networks of additional companies.

Checking outward facing systems, including different VPN systems, is critically important. … There is a need of constant monitoring, making sure that the systems are constantly updated, and preventing unneeded exposure of the administration interfaces to the outside world.

Users’ permissions and active users on each station should be monitored constantly. … The attackers have created, multiple times, local users that allowed them to act freely.

Butwhatabout? SuperDre says, “stop pointing fingers”:

 How is this different from what the US is doing? They also target VPN networks, hell they even buy security companies and plant their own backdoors into the software/hardware those companies deliver to their customers.

Defense in depth? notlukesky doesn’t go into Tosche Station to pick up some power converters: [You’re fired—Ed.]

 VPNs and RDPs are unfortunately not enough to secure the network. I work for an SI where we integrate … 2FA to all sorts of VPNs and RDPs.

The perimeter is becoming obsolete and IAM and 2FA is necessary both outside and in the network all the time. Of course usability of 2FA is paramount to mass adoption. … Access control policies also come in handy.

Can you see the irony? Uri Goldstein—@urig—facepalms:

 I’m so naive. Was surprised to see one of the main attack vectors is the security tooling itself: … VPNs.

But this Anonymous Coward just doesn’t buy it:

 These are the idiots who shot down their own plane. … I’m pretty sure they aren’t going to have a lot of luck infiltrating the kind of security that corporations employ to protect their assets.

Meanwhile, @angryhamster6 is more measured:

 They didn’t use ground breaking techniques and resources, just learned well and fast from what is already working.

And Finally:

Fox Kitten?

Hat tip: Neal Rauhauser

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Zion National Park (cc:by)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 579 posts and counting.See all posts by richi