Cybersecurity researchers have spotted a widespread hacking by Iranian groups who compromised VPN (virtual private network) servers, planted bugs or ‘backdoors’ and succeeded in gaining access to the networks of numerous companies and organisations around the world. During the last quarter of 2019, the research team from the UK-based ClearSky uncovered a widespread Iranian offensive campaign which it called the “Fox Kitten Campaign”.
“This campaign is being conducted in the last three years against dozens of companies and organisations in Israel around the world,” the company said in a statement. “Through the campaign, the attackers succeeded in gaining access and persistent foothold in the networks of numerous companies and organisations from the IT, telecommunication, oil and gas, aviation, government and security sectors around the world,” it added.
Aside from malware, the campaign enfolds an entire infrastructure dedicated to ensuring the long-lasting capability to control and fully access the targets chosen by the Iranians. The campaign infrastructure was used to develop and maintain access routes to the targeted organisations and steal valuable information from the targeted organisations.
“Hackers maintained a long-lasting foothold at the targeted organisations and breach additional companies through supply-chain attacks.”
The campaign was conducted by using a variety of offensive tools, most of which open-source code-based and some self-developed. The Iranian APT groups have succeeded to penetrate and steal information from dozens of companies around the world in the past three years.
The most successful and significant attack vector used by the Iranian advanced persistent threat (APT) groups in the last three years has been the exploitation of known vulnerabilities in systems with unpatched VPN and RDP services, in order to infiltrate and take control over critical corporate information storages.
After breaching the organisations, the attackers usually maintain a foothold and operational redundancy by installing and creating several more access points to the core corporate network. As a result, identifying and closing one access point does not necessarily deny the capability to carry on operations inside the network.
“Iranian APT groups have developed good technical offensive capabilities and are able to exploit one-day vulnerabilities in relatively short periods of time,” said the researchers.
ClearSky observed Iranian groups exploiting VPN flaws within hours after the bugs had been publicly disclosed.
According to a ZDNet report, Iranian hackers have targeted Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs to hack into large companies.