Iranian Hackers Targeting Dozens of Organizations Using VPN Exploit

According to new reports published by online security researchers, Iranian state-backed hackers have been using a previously unknown VPN flaw to target companies and organizations around the world. The newly-discovered operation appears to have been going on for around three years now.

Iranian hackers are exploiting 1-day enterprise VPN flaws to implant backdoor malware in organizations across the worldhttps://t.co/FMbaUidR84

➡️Pulse Secure Connect: CVE-2019-11510
➡️Palo Alto Networks: CVE-2019-1579
➡️Fortinet FortiOS: CVE-2018-13379
➡️Citrix: CVE-2019-19781 pic.twitter.com/CHiJ06VTNT

— The Hacker News (@TheHackersNews) February 18, 2020

Iran Sees Spike in Cyber-Espionage

Researchers from ClearSky have named the campaign “Fox Kitten,” and claim that the act is part of a cyber-espionage initiative that targeting IT firms, oil and gas companies, telecommunication, governments, aviation, security sectors, and more. The report further notes that this is one of Iran’s most continuous and comprehensive campaigns to date. From what the researchers were able to discover, the campaign was used as a reconnaissance infrastructure. However, it can easily become more destructive, and hackers could use it for spreading and activating malware. The report further says that the activities were tied to multiple threat groups, including APT33, APT34, and APT39. The attackers not only stole sensitive information but also employed supply-chain attacks that affected additional organizations.

Details about the Campaign

As mentioned, the breaches were possible due to the exploitation of an unpatched VPN flaw, which allowed hackers to penetrate the targeted companies’ defenses and steal sensitive data. There were several VPN systems that hackers exploited in this way, including Pulse Secure Connect, Global Protect, Citrix, and Fortinet FortiOS. ClearSky further notes that hackers managed to gain access to the targeted organizations’ core systems, and leave additional malware behind, which continued to spread throughout the network by exploiting 1-day vulnerabilities. Researchers also reported that hackers used a rather stealthy approach, and even the backdoor code itself was downloaded in small chunks so that antivirus software would not detect them. After they infected the systems, hackers executed the backdoor to scan for sensitive information and retrieve the files through a remote desktop connection or by opening a socket-based connection to a hardcoded IP address. Another curious detail about the attack is that it involved multiple hacking groups that collaborated in order to reach their goals.