Iranian hackers have targeted Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs to hack into large companies.
2019 will be remembered as the year when major security bugs were disclosed in a large number of enterprise VPN servers, such as those sold by Pulse Secure, Palo Alto Networks, Fortinet, and Citrix.
A new report published today reveals that Iran’s government-backed hacking units had made a high priority this past year to exploit VPN bugs when they became public to be able to infiltrate and plant backdoors in companies all over the world.
According to a report from Israeli cyber-security company ClearSky, Iranian hackers have targeted companies “from the IT, Telecommunication, Oil and Gas, Aviation, Government, and Security sectors.”
Some attacks happened hours after public disclosure
The report comes to dispel the idea that Iranian hackers aren’t sophisticated and less talented than their Russian, Chinese, or North Korean counterparts.
ClearSky says that “Iranian APT groups have developed great technical offensive capabilities and can exploit 1-day vulnerabilities in relatively short periods.”
In some instances, ClearSky says it observed Iranian groups exploiting VPN flaws within hours after the bugs been publicly disclosed.
*ATP stands for advanced persistent threat and it is a term frequently used to describe nation-state hacking units
ClearSky says that in 2019, Iranian groups were quick to weaponize vulnerabilities disclosed in the Pulse Secure “Connect” VPN (CVE-2019-11510), the Fortinet FortiOS VPN (CVE-2018-13379), and Palo Alto Networks “Global Protect” VPN (CVE-2019-1579).
Attacks against these systems began last summer when information regarding the bugs was made public, but they’ve also continued in 2020.
Furthermore, as details about other VPN flaws were made public, Iranian groups also included these exploits in their attacks (namely CVE-2019-19781, a vulnerability disclosed in Citrix “ADC” VPNs).
Hacking corporate targets to plant backdoors
Based on the ClearSky report, the goal of these attacks is to breach enterprise networks, move laterally throughout their internal systems, and plant backdoors to exploit at a later time.
As the first stage (breaching) of their attacks targeted VPNs, the next phase (lateral movement) involved a comprehensive collection of tools and techniques, showing precisely how advanced these Iranian hacking units have become recently.
For instance, hackers abused a long-known technique to gain admin permissions on Windows systems via the “Sticky Keys” accessibility tool [1, 2, 3, 4].
Besides, they exploited open-sourced hacking tools like JuicyPotato and Invoke the Hash. However, they also used legitimate sysadmin software like Putty, Plink, Ngrok, Serveo, or FRP.
Furthermore, in the case where hackers didn’t find open source tools or local utilities to help in their attacks, they also had the knowledge to develop custom malware. ClearSky says it found tools like:
- STSRCheck – Self-developed databases and open ports mapping tool.
- POWSSHNET – Self-developed backdoor malware for RDP-over-SSH tunneling.
- Custom VBScripts – Scripts to download TXT files from the command-and-control (C2or C&C) server and unify these files into a portable executable file.
- Socket-based backdoor over cs.exe – An EXE file used to open a socket-based connection to a hardcoded IP address.
- Port.exe – Tool to scan predefined ports for an IP address.
Multiple groups acting as one
Another revelation from the ClearSky report is that Iranian groups also seem to be collaborating and acting as one, something which is not seen in the past.
Previous reports about Iranian hacking activities detailed different clusters of activity, usually the work of 1 single group.
The ClearSky report highlights that the attacks against VPN servers around the world look like the work of at least three Iranian groups — namely APT33 (Elfin, Shamoon), APT34 (Oilrig), and APT39 (Chafer).
The treat of data-wiping attacks
Currently, the goal of these attacks seems to perform reconnaissance and plant backdoors for surveillance operations.
However, ClearSky fears that access to many of these infected enterprise networks could also be weaponized in the future to deploy data-wiping malware that can sabotage companies and takedown networks and business operations.
Such scenarios are possible and very plausible. Since Sept 2019, two new strains of data-wiping malware (ZeroCleare and Dustman) have been discovered and linked back to Iranian hackers.
Furthermore, ClearSky also doesn’t rule out the fact that Iranian hackers might exploit access to these breached companies for supply chain attacks against their customers.
This theory is supported by the fact that earlier this month, the FBI sent out a security alert to the united states private sector warning about ongoing attacks against software supply chain companies, “including entities supporting Industrial Control Systems (ICS) for global energy generation, transmission, and distribution.” The ICS and energy sector has been a traditional target for Iranian hacking groups in the past.
The same FBI alert noted links between malware deployed in these attacks and code previously used by Iran’s APT33 group, strongly suggesting that Iranian hackers might be behind these attacks.
Furthermore, the attack against Bapco, Bahrain’s national oil company, used the same “breach VPN -> move laterally” tactic that ClearSky described in its report.
ClearSky now warns that after months of attacks, companies who have finally patched their VPN servers also need to scan their internal networks for any signs of compromise.
The ClearSky report includes indicators of compromise (IOCs) that security teams can use to scan logs and internal systems for signs of an intrusion by an Iranian group.
Nevertheless, the same flaws have also been exploited by Chinese hackers and multiple ransomware and cryptomining groups.
New VPN flaws
Furthermore, considering the conclusions of the ClearSky report, we can also expect that Iranian hackers will also pounce on the chance to exploit new VPN flaws after they become public.
This means that we can expect that Iranian hackers will likely target SonicWall SRA and SMA VPN servers in the future after earlier this week, security researchers have published details about six vulnerabilities impacting these two products.