Iranian Hackers Are Reportedly Weaponizing Published VPN Flaws in Hours

  • At least three Iranian APT groups combined forces to launch attacks against corporate networks.
  • Named "Fox Kitten," this campaign was based on the exploitation of 1-day VPN flaws.
  • The hackers were ready to weaponize vulnerabilities almost as soon as they were published.

During 2019, there have been multiple reports about risky flaws that underpin widely-used corporate VPN tools. Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs were all found to be vulnerable in some way and, in many cases, the associated proof-of-concept (PoC) code was published as well. This only happened after the vendors were given enough time to push fixing updates. However, thousands of systems remained unpatched, so hackers actively searched for them. According to a report by ClearSky, Iranian hackers were identified as the ones who have been leading this exploitation effort, and they were actually engaging in it since 2016.

process
Source: ClearSky

Naming it the "Fox Kitten" campaign, the researchers claim that APT34-OilRig, APT33-Elfin, and APT39-Chafer united their firepower to spread malware strains such as the "ZeroCleare" and "Dustman." These Iranian hacking groups have collaborated to develop and maintain access routes to organizations from around the world, steal crucial data from them, and infect their products to reach more victims through supply-chain attacks. The following map shows which countries were most targeted (red), and which received a relatively lower volume of attacks (yellow). As for the targeted sectors, these were IT, petroleum, utilities, defense, and aviation.

map
Source: ClearSky

From 2016 and until late 2019, the Iranian hackers succeeded in penetrating corporate networks and stealing information from dozens of critical organizations. The main way inside these networks was via unpatched VPN and RDP services, which indicates that these skillful actors already knew about some of the flaws that were later discovered by white hat hackers. They were actively exploiting them a long time before the VPN makers sent out fixing patches. In most cases, though, they were just ready to exploit vulnerabilities that were published by researchers. For example, the actors managed to weaponize exploits for the Pulse Secure Connect, Global Protect, and the Fortinet FortiOS VPN quickly after DEVCORE’s Meh Chang and Orange Tsai made a relevant presentation at Black Hat USA 2019.

ClearSky reports that Iranian hackers shouldn’t be considered inferior to Russian or Chinese state-supported actors at all. They say that, in fact, they have compelling offensive capabilities, exploiting 1-day flaws in brief periods of time, even in a couple of hours in some cases. Considering this, it means that they remain a menace even for system administrators who act responsibly and apply patches within a couple of days. These actors are always on alert for whatever useful things they can get, and they are professionals, very quick to launch novel attacks when working as a larger team.

Latest
How to Watch Love Island Australia Season 4 (2022) Online From Anywhere
One of the hottest reality TV shows is returning with a brand new season, and we're excited to watch all the episodes...
How to Watch Who Killed Jenni Rivera? Online: Stream the Mysterious Death Documentary From Anywhere
Who Killed Jenni Rivera? is a new documentary series that pays tribute to the life of the award-winning Latin sensation and also investigates...
How to Watch World Cup 2022 Online: Live Stream Soccer Matches for Free from Anywhere
Fans were treated to more enthralling action at the 2022 FIFA World Cup on Monday as Croatia needed a penalty shootout to...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari