Backdoored: Fortinet, Palo Alto and Pulse Secure VPN Servers; Citrix Gateways
Security researchers have been warning since last August that attackers have been hacking unpatched VPN servers to gain remote access to corporate networks. Now, security firm ClearSky says that at least three advanced persistent threat groups, all with apparent ties to the Iranian government, have been joining the fray and hitting unpatched Fortinet, Pulse Secure and Palo Alto Networks VPN servers and Citrix remote gateways.
The ongoing campaign, which ClearSky researchers call “Fox Kitten,” has been targeting numerous sectors, including IT, telecommunications, oil and gas, aviation and security – as well as several government agencies, according to a new report from ClearSky. Researchers say they have seen attackers hitting targets in the U.S., Israel, Australia, Saudi Arabia, Lebanon, Kuwait, United Arab Emirates and several European countries.
The goal of planting backdoors in VPN servers and remote-access software is to steal data and maintain a long-term presence, according to ClearSky, which says the campaign was discovered by industrial cybersecurity firm Dragos, which refers to these attacks as Parisite.
“After breaching the organizations, the attackers usually maintain a foothold and operational redundancy by installing and creating several more access points to the core corporate network,” ClearSky researchers say. “As a result, identifying and closing one access point does not necessarily deny the capability to carry on operations inside the network.”
The ClearSky report notes that at least one of the APT groups apparently tied to the Fox Kitten campaign may have attempted to plant malware in vulnerable networks.
While the ClearSky report notes that the Fox Kitten campaign has allowed for backdoors to be planted and data to be taken, it’s not clear if any of the APT groups have successfully used these vulnerabilities to spread the wiper malware through infected networks.
Unpatched VPN Servers: Still at Risk
Warnings over the apparent Iranian APT attacks follow repeated, persistent warning from security experts that organizations must patch multiple, critical flaws across a range of devices. Required patches have long been available. Pulse Secure released its patches for Pulse Connect Secure, previously known as Juniper SSL Virtual Private Network, in April 2019. In April and May of last year, Fortinet released updates to patch the flaws in FortiOS. Palo Alto, meanwhile, issued its patches on July 17, 2019.
But organizations have been moving slowly. By August 2019, both Troy Mursch of Chicago-based threat intelligence firm Bad Packets as well as British security researcher Kevin Beaumont said they’d been tracking an increase in probes and hacking activity targeting a large number of still-unpatched SSL VPN servers (see: Hackers Hit Unpatched Pulse Secure and Fortinet SSL VPNs).
Subsequently, Microsoft warned that it had been tracking attacks that exploit the flaws being launched by suspected Chinese APT groups since at least July 2019.
In October 2019, the U.S. National Security Agency and Britain’ National Cyber Security Center each issued alerts, warning that nation-state were targeting unpatched Pulse Secure, Palo Alto and Fortinet devices (see: NSA Is Latest Intelligence Agency to Sound VPN Patch Alarm).
Specific flaws needing to be patched include CVE-2019-11510 in Pulse Secure’s VPN SSL servers, CVE-2018-13379 in Fortigate’s SSL VPN servers, and CVE-2019-1579 in Palo Alto Network VPN servers, all of which ClearSky says Fox Kitten is now exploiting.
Last month, Citrix released patches to fix severe flaws in its Application Delivery Controller and Gateway products, which first came to light at the end of 2019 (see: Citrix Releases First Patches to Fix Severe Vulnerability). ClearSky says the Fox Kitten campaign is now also targeting these flaws in unpatched Citrix devices.
Despite repeat warnings, security researchers continue to catalog thousands of unpatched servers and devices worldwide.
APT groups have targeted vulnerable VPN servers (Source: ClearSky)
These vulnerabilities have previously been used by other cybercrime groups to spread malware, such as ransomware, but the three apparent Iranian groups have increasingly started to use these flaws for their own purposes – namely to attempt to steal data, ClearSky says (see: Patch or Perish: VPN Servers Hit by Ransomware Attackers).
“The most successful and significant attack vector used by the Iranian APT groups in the last three years has been the exploitation of known vulnerabilities in systems with unpatched VPN and [remote desktop protocol] services, in order to infiltrate and take control over critical corporate information storage,” according to the ClearSky report.
The apparent Iranian APT groups are using the vulnerabilities in the VPN and servers and remote systems to gain a foothold in networks, ClearSky researchers say. From there, the attackers use SSH tunneling to create links via remote desktop protocol, then encrypt and disguise their malicious traffic to make it look like normal network traffic, according to the report.
The attackers then begin mapping the network, using a combination of custom and open-source tools to assist in moving through the infrastructure and communicating with command-and-control servers, ClearSky researchers say. One of the custom, malicious tools that researcher found is called STSRCheck, which is used to scan for open ports, while another is called POWSSHNET, which is the backdoor that allows for network traffic to flow through the SSH tunnel, according to the report.
The researchers also note that the attackers sometimes use a system admin tool, such as Putty or Plink – which are designed to help with remote connection into the network – to stay connected to the network.
Ties to Iran
The ClearSky report identifies three APT groups that appear to be behind the Fox Kitten ongoing attacks.
The researchers says there’s a “medium-high probability” that one attack group is APT34, also known as OilRig, which has been tied to multiple campaigns over the years, including the spreading of wiper malware against oil and gas facilities (see: Wiper Malware Targets Middle Eastern Energy Firms: Report).
The report also notes that there is a “medium” probability that two other groups are involved in exploiting these VPN server vulnerabilities: APT33, which is also known as Elfin, and APT39, which is sometimes called Chafer.
Multiple security researchers have said in previous reports that all three of these groups apparently have ties to the Iranian government (see: Hackers Increasingly Probe North American Power Grid).
“Iranian APT groups have developed good technical offensive capabilities and are able to exploit [fresh] vulnerabilities in relatively short periods of time, starting from several hours to a week or two,” the ClearSky report states.
Executive Editor Mathew Schwartz contributed to this report.