ClearSky Specialists published a reportdedicated to hacking VPN servers through which hackers seek to reach large companies. So, in 2019, information security experts identified a number of errors in various products of Pulse Secure, Palo Alto Networks, Fortinet and Citrix, which are now exploited by cybercriminals.
According to ClearSky, such attacks are mainly carried out by Iranian hackers, whose goals are companies from the field of IT, telecommunications, the oil and gas industry, aviation, as well as government agencies and defense enterprises. The report states that Iranian APTs have impressive technical capabilities and can use fresh vulnerabilities soon after they are discovered (sometimes several hours after the public disclosure of information about the problem).
In 2019, Iranian hack groups quickly found use for vulnerabilities discovered in Pulse Secure Connect VPN (CVE-2019-11510), Fortinet FortiOS VPN (CVE-2018-13379) and Palo Alto Networks Global Protect VPN (CVE-2019-1579) . The attacks began last summer, immediately after the publication of data on bugs, and continued in 2020. Similarly, attackers quickly adopted the problem CVE-2019-19781, discovered in Citrix ADC VPN.
The purpose of such attacks is to infiltrate corporate networks, and then develop the attack, lateral movement and installation of backdoors for subsequent use and espionage. ClearSky also does not exclude that hackers can use access to hacked systems to implement attacks on the supply chain, the mass use of vipers and so on.
During the second stage of the attack (lateral movement), hackers use a variety of tools and methods, which, according to researchers, indicates how Iranian APTs have evolved in recent years. For example, they used well-known technology to obtain administrator rights in Windows (using Sticky Keys), used open source tools such as Juicypotato and Invoke the hashas well as legitimate software for administrators: Putty, Plink, Ngrok, Serveo, FRP and so on.
If the attackers did not find ready-made tools for their needs, they created them themselves. ClearSky specialists found several such examples:
- STSRCheck: DB and tool for mapping open ports;
- POWSSHNET: RDP-over-SSH tunneling malware;
- Custom VBScripts: scripts for downloading TXT files from the managing server and combining these files into a portable executable file;
- Socket-based backdoor on top of cs.exe: EXE file used to open a socket-based connection with a hard-coded IP address;
- Port.exe: a tool for scanning predefined ports for a specific IP address.
Moreover, researchers are convinced that Iranian groups cooperate with each other and act as a whole, which was not previously observed. In particular, attacks on VPN servers around the world are apparently carried out by at least three Iranian hack groups: APT33 (Elfin, Shamoon), APT34 (Oilrig) and APT39 (Chafer).