Skip to main content

Iranian hackers have been hacking VPN servers to plant backdoors in companies around the world | ZDNet



2019 will be remembered as the year when major security bugs were disclosed in a large number of enterprise VPN servers, such as those sold by Pulse Secure, Palo Alto Networks, Fortinet, and Citrix.
A new report published today reveals that Iran’s government-backed hacking units have made a top priority last year to exploit VPN bugs as soon as they became public in order to infiltrate and plant backdoors in companies all over the world.
According to a report from cyber-security firm ClearSky, Iranian hackers have targeted companies “from the IT, Telecommunication, Oil and Gas, Aviation, Government, and Security sectors.”

Some attacks happened hours after public disclosure

The report comes to dispel the notion that Iranian hackers are not sophisticated, and less talented than their Russian, Chinese, or North Korean counterparts.
ClearSky says that “Iranian APT groups have developed good technical offensive capabilities and are able to exploit 1-day vulnerabilities in relatively short periods of time.”
In some instances, ClearSky says it observed Iranian groups exploiting VPN flaws within hours after the bugs been publicly disclosed.
*APT stands for advanced persistent threat and is a term often used to describe nation-state hacking units
ClearSky says that in 2019, Iranian groups were quick to weaponize vulnerabilities disclosed in the Pulse Secure “Connect” VPN (CVE-2019–11510), the Fortinet FortiOS VPN (CVE-2018–13379), and Palo Alto Networks “Global Protect” VPN (CVE-2019–1579).
Attacks against these systems began last summer, when details about the bugs were made public, but they’ve also continued in 2020.
Furthermore, as details about other VPN flaws were made public, Iranian groups also included these exploits in their attacks (namely CVE-2019–19781, a vulnerability disclosed in Citrix “ADC” VPNs).

Hacking corporate targets to plant backdoors

According to the ClearSky report, the purpose of these attacks is to breach enterprise networks, move laterally throughout their internal systems, and plant backdoors to exploit at a later date.
While the first stage (breaching) of their attacks targeted VPNs, the second phase (lateral movement) involved a comprehensive collection of tools and techniques, showing just how advanced these Iranian hacking units have become in recent years.
For example, hackers abused a long-known technique to gain admin rights on Windows systems via the “Sticky Keys” accessibility tool [ 1, 2, 3, 4].
They also exploited open-sourced hacking tools like JuicyPotato and Invoke the Hash, but they also used legitimate sysadmin software like Putty, Plink, Ngrok, Serveo, or FRP.
Furthermore, in the case where hackers didn’t find open source tools or local utilities to help in their attacks, they also had the knowledge to develop custom malware. ClearSky says it found tools like:
  • STSRCheck — Self-developed databases and open ports mapping tool.
  • POWSSHNET — Self-developed backdoor malware for RDP-over-SSH tunneling.
  • Custom VBScripts — Scripts to download TXT files from the command-and-control (C2or C&C) server and unify these files into a portable executable file.
  • Socket-based backdoor over cs.exe — An EXE file used to open a socket-based connection to a hardcoded IP address.
  • Port.exe — Tool to scan predefined ports for an IP address.


Multiple groups acting as one

Another revelation from the ClearSky report is that Iranian groups also appear to be collaborating and acting as one, something that has not been seen in the past.
Previous reports on Iranian hacking activities detailed different clusters of activity, usually the work of one singular group.
The ClearSky report highlights that the attacks against VPN servers across the world appear to be the work of at least three Iranian groups — namely APT33 (Elfin, Shamoon), APT34 (Oilrig), and APT39 (Chafer).

The treat of data-wiping attacks

Currently, the purpose of these attacks appears to perform reconnaissance and plant backdoors for surveillance operations.
However, ClearSky fears that access to all of these infected enterprise networks could also be weaponized in the future to deploy data-wiping malware that can sabotage companies and take down networks and business operations.
Such scenarios are possible and very plausible. Since September 2019, two new strains of data-wiping malware ( ZeroCleare and Dustman) have been discovered and linked back to Iranian hackers.
Furthermore, ClearSky also doesn’t rule out that the Iranian hackers might exploit access to these breached companies for supply chain attacks against their clients.
This theory is supported by the fact that earlier this month, the FBI sent out a security alert to the US private sector warning about ongoing attacks against software supply chain companies, “including entities supporting Industrial Control Systems (ICS) for global energy generation, transmission, and distribution.” The ICS and energy sector has been a traditional target for Iranian hacking groups in the past.
The same FBI alert noted links between malware deployed in these attacks and code previously used by Iran’s APT33 group, strongly suggesting that Iranian hackers might be behind these attacks.
Furthermore, the attack against Bapco, Bahrain’s national oil company, used the same “breach VPN -> move laterally” tactic that ClearSky described in its report.
ClearSky now warns that after months of attacks, companies who have finally patched their VPN servers should also scan their internal networks for any signs of compromise.
The ClearSky report includes indicators of compromise (IOCs) that security teams can use to scan logs and internal systems for signs of an intrusion by an Iranian group.
However, the same flaws have also been exploited by Chinese hackers and multiple ransomware and cryptomining groups.

New VPN flaws

Furthermore, taking into account the conclusions of the ClearSky report, we can also expect that Iranian hackers will also pounce on the opportunity to exploit new VPN flaws once they become public.
This means that we can expect that Iranian hackers will most likely target SonicWall SRA and SMA VPN servers in the future after earlier this week security researchers have published details about six vulnerabilities impacting these two products.

Originally published at https://www.zdnet.com on February 16, 2020.

Comments

Post a Comment

Popular posts from this blog

Lebanese Protesters Are Using This ‘Bridgefy’ Messaging App - What is it?

Bridgefy is an offline messaging app that lets you communicate with friends and family when you don't have access to the Internet, by simply turning on your Bluetooth antenna. Due to WhatsApp outage and the poor internet services, a new offline messaging app known as Bridgefy has started to gain traction among Lebanese protesters. The people are recommending using this app in case there is a shutdown of internet services. Did you know that: 1 billion people aren’t covered by 3G or 4G networks. 3.3 billion people live in areas where the mobile Internet can be accessed but remain without a mobile Internet subscription. 1 billion people own a smartphone but don’t own a data plan. 40% of the world population is forecast to remain unconnected by 2025. These numbers represent huge amounts of potential users that aren’t being reached by mobile apps. Bridgefy keeps your app working even when people do not have access to the Internet. T...
Post a Comment
Read more

WhatsApp Users Exchanged Over 100 Billion Messages on New Year’s Eve, A New Record

WhatsApp is one of the most widely used communication apps on the planet and as such, clocks an insane number of messages and media exchanges on a daily basis. But the New Year's Eve broke a record that has been standing since WhatsApp's debut a decade ago. WhatsApp has revealed that users exchanged over 100 billion messages on New Year's eve. And out of that number, more than 20 billion messages were shared by Indian users alone. Moreover, around 12 billion out of the 100 billion+ messages shared on the platform were images. WhatsApp wrote in a press release that over 100 billion messages were shared globally on December 31 in the 24-hour duration leading up to the midnight of New Year's Eve. This is a record-breaking volume and is the highest number of messages exchanged in a single day ever since WhatsApp kicked off its services ten years ago. Out of those 100 billion+ messages shared on New Year's eve, WhatsApp says over 12 billion were images. Meanwhile...
Post a Comment
Read more

Facebook updates iOS app to fix issues that let the camera open in the background

The issues were first reported this month This month, some users of Facebook’s iOS app  found that  that, in at least two situations, the app appeared to be activating the camera in the background without a user’s knowledge. Facebook said yesterday that it was submitting fixes for the issues to Apple, and the company tells us that, as of this morning, the updated app is now available for download on the App Store. I’ve downloaded the update to my iPhone 11 Pro, and I can’t get the camera to accidentally activate in either of the scenarios that were reported — but I also couldn’t get it to activate yesterday, so I can’t personally confirm that the issues are fixed. But if we take Facebook at its word that everything is resolved, it’s nice to see that the company acted quickly. Article reference:  https://www.theverge.com/2019/11/13/20963791/facebook-issue-fix-camera-open-background-update-ios-app-store
Post a Comment
Read more