Iranian hackers Attack Targeted Companies to Steal Valuable Information Via VPN Flaw

In the last three years a new report published by cyber security experts has uncovered reports of Iranian government-sponsored hackers targeting dozens of companies and organisations.

The cyberspy campaign Dubbed Fox Kitten is allegedly aimed at IT, telecommunications, oil and gas, aviation, government and defense firms.

The plan that this study shows is considered to be among the most detailed and continuous campaigns in the Iranian government so far. It can however also be used as a medium for the distribution and activation of harmful malware, such as ZeroCleare and Dustman. The campaign has been announced.

The researchers have also made it possible for organizations to steal sensitive information and employ supply-chain attacks to threaten other organisations, incorporating threats to the APT33, APT34 and APT39, the offensive performed with a combination of open source and self-developed software.

VPN Flaws Works

The key vector used by Iranian groups was the exploitation of unspecified VPN vulnerabilities in order to infiltrate and rob target companies of their information. These were used by prominent VPN systems, such as Pulse Secure Connect (CVE-2019-11510) and Citrix (C VE-2019-19781). 

The most important systems were the Pulse Secure Connect (CVE-2019-11510), Palo Alto Global Protect (CVE -2019-1577). EOLBREAK ClearSky noted that hacking groups have succeeded in gaining access to core systems of the targets, dropping additional malware and spreading over the network laterally by exploiting "1-day vulnerabilities in relatively short time."

After an initial footprint was successfully obtained, the compromised systems interacted with attacker control servers in access a series of VBScript files that can be used to create backdoors. The framework can also be used with attacker power. 

In order to prevent the detection of antivirus installed on infected computers, the backdoor code itself is being copied into chunks. The job is to collect these individual files together to create an executable for a separate downloaded file– named "combine.bat."

The threat players have used tools like Juicy Potato and Invoke Hash for these tasks in order to gain top-level rights and push laterally around the network. Some of the other instruments the attackers have created include:

• STSRCheck ; A tool for the mapping and brutalization of databases, servers and ports in the specific network by logging with default credentials.
•Port.exe ; A predefined port and server scanning tool.

When attackers gain lateral movement power, the attackers proceed to the final stage: perform the backdoor scanning for relevant information on the affected device, and exfiltrate the files into the attacker using a remote POWSSHNET-based tool, or open a link on a socket to a hard-coded IP address.

In order to communicate with servers inside the target, and to upload files to a C2 server, the attackers also used web shells.

The ClearSky study highlighted that attacks on Vpn servers are probably linked to three Iranian groups– APT33 ("Elfin"), APT 34 ("OilRig") or APT39 (Chafer) based on the use of web shells and overlap with attack infrastructure.

In addition, the researchers analyzed the system as a result of the' infrastructure network partnership,' noting similarities in the work methods and techniques across the three classes.

Only last month, state-backed Iranian hackers, dubbed' Magnallium,' were found conducting a password-based assault on U.S. electricity companies and on petroleum and gas companies. 

As VPN bugs are armed within 24 hours by attackers, it is imperative that organizations install security patches as and when necessary. 

Apart from following the least privilege principle, critical systems are continuously monitored and maintained. Thanks to two-step authentication, unauthorized logins can be reduced.
Previous Post Next Post