Iranian-backed Fox Kitten APT Exploits VPN Vulnerabilities – Here’s Why it Should Matter to You

Collaboration is a great thing isn’t it?

Well it’s not such a great thing when the collaboration in question is an effort to steal data and spy on countries across the globe. It’s made even worse when it’s an effort between some of the most notorious players in the Advanced Persistent Threat (APT) world. 

Advanced Persistent Threats 
APTs are long-term operations in which an attacker sits on a network undetected for a significant amount of time. During this time, the goal is to a) evade detection at all costs, and b) collect as much information as possible about the target. APTs are typically carried out by highly sophisticated government or corporation-backed attackers and their targets are typically high-value organizations, governmental or otherwise.

In a nutshell, as opposed to the “I-went-to-the-darkweb,-bought-some-ransomware-and-now-I’m-gonna-deploy-it” variant of cyber threats, APTs are extremely advanced threats that take bundles of time and cash to develop and deploy. They are carried out with extreme stealth and secrecy and many targeted organizations may never even discover that they have been attacked. 

Fox Kitten 
Now, according to research from security firm ClearSky, Iran-backed APT players APT33-Elfin and APT34-OilRig (and potentially APT 39-Chafer) have been linked to a campaign that has compromised Israeli and US companies in industries spanning critical infrastructure, security, IT and government.

The long-running operation has allowed Iranian groups to access corporate networks and data and also serves as a “perfect launchpad for the deployment of destructive malware such as ZeroCleare and Dustman”, according to Moreover, according to researchers at ClearSky, the campaign, which they dubbed Fox Kitten, symbolizes “an entire infrastructure dedicated to ensuring the long-lasting capability to control and fully access the targets chosen by the Iranians”. They posit that over the last three years, the groups have been able to: 

  • Gain, and hold on to, access routes into victim organizations;
  • Exfiltrate data from victims; 
  • Attack third party organizations through the initial victims. 

So just how were the attackers able to make their way inside these highly protected and sensitive organizations? 

They used a potent concoction of tools, including custom-made weapons and open-source code. But according to ClearSky, the initial infection was launched via RDP (Remote Desktop Protocol) and VPN (Virtual Private Network) vulnerabilities. And not just any VPN vulnerabilities; these are the very same VPN vulnerabilities we warned readers about back in August 2019. Disclosed vulnerabilities in Fortinet, Pulse Secure, and Palo Alto VPN services allowed attackers to gain a foothold in the networks and remain there indefinitely. 

Wonky VPNs = Big Security Problems 
VPNs have played a critical part in allowing employees and third parties to access resources and networks since the dawn of IT. But recently, VPNs have begun to show their age, and consequently, their lack of ability to keep pace with the changing access threats organizations face today. In fact, the same Pulse Secure vulnerability is assumed to be at the center of the recent Travelex attack that allowed attackers to remotely execute code on the London-based currency exchange. 

Successful APTs are very complex matters and no one issue is to blame when there are so many moving parts; but leaving known vulnerabilities unpatched is obviously asking for disaster. The VPN providers in question have been urging users to patch their software since the vulnerabilities were discovered months ago. The fact that they went unpatched made it all the easier for these sophisticated attackers to infiltrate. 

Moreover, entirely preventing APTs from getting inside networks is no simple feat. Considering that these attackers usually have loads of cash at their disposal to ensure their success, organizations really need to do all they can to lower their chances of being successfully infiltrated. 

And since VPNs are no longer the most capable way of provisioning secure access, it’s time to move to a solution that’s built for secure access today. Solutions like a Software Defined Perimeter (SDP) are built for access challenges in the cloud and on prem and can provide the granular case-by-case access needed to ensure your resources aren’t exposed to threats. 

*** This is a Security Bloggers Network syndicated blog from Safe-T Blog authored by Eitan Bremler, VP Products and Technology. Read the original post at: