Iranian cyber criminals successfully gained access into the infrastructures of dozens of firms, and have been accused of a string of prominent cyber attacks including those against Citrix and Palo Alto Networks.
The campaign, dubbed ‘Fox Kitten’, has thus far targeted major companies in order to gain long-lasting control and access to their networks for reconnaissance purposes, and occasionally as a springboard to launch devastating malware attacks.
The campaign, which has been running for at least the last three years, has been orchestrated against companies from the IT, telecoms, old and gas, aviation, government and security sectors globally.
As outlined in a report from cyber security company ClearSky, several known groups and their cyber activities can be tied with shared common infrastructure, and attributed with medium or high probability to the activity of hacker groups such as APT34-OilRig, APT33-Elfin and APT39-Chafer that are considered to have ties to Iran.
The ClearSky researchers have also determined that there’s a medium probability that APT33 and APT34 have been working together since 2017 via this shared infrastructure.
The key offensive tool harnessed through this campaign comprised exploiting one-day vulnerabilities (zero-day vulnerabilities that have been made public) in different virtual private networks (VPNs) and remote hardware services. These included services provided by Pulse Secure, Fortinet and Palo Alto Networks.
Some of these vulnerabilities, and their subsequent exploitation, gained notoriety. The National Cyber Security Centre (NCSC) and National Security Agency (NSA), for example, warned against hackers exploiting flaws in VPNs deployed by all three firms in October 2019.
Although the groups’ actions span a number of years, the hackers have already conducted significant activity in 2020 having exploited fresh vulnerabilities in remote systems deployed by Citrix.
“We attribute the 'Fox Kitten' campaign, with medium-high confidence, to the APT34 group, and with medium confidence to the APT33 and APT39 groups,” the report said. “And we assess that there is a cooperation between the groups in infrastructure and possibly beyond that.
“We assess this campaign’s main goal to be intelligence collection on the targets and creating a supply-chain attack. In our analysis, we have not identified distribution of destructive malware in the attacked organizations.”
Digital Risk Report 2020
A global view into the impact of digital transformation on risk and security management
Once the hackers gained a foothold into the organisation’s network, they maintained access by deploying a range of communication tools, including opening remote desktop protocol (RDP) links. The purpose of this was to camouflage and encrypt communication with their respective targets.
Finally, having infiltrated and maintained access within the organisation, the attackers performed identification, examination and the filtering of sensitive or valuable information from their victims. This was sent back to the attackers for reconnaissance, espionage, or further infection of the infiltrated and associated networks.
From a target company's perspective, the picture is highly bleak, with a long time needed to actually identify an attacker on a compromised network. According to the report, this varies from several months to not at all. Monitoring capabilities, meanwhile, for organisations to identify and block an attacker that entered through remote communication tools ranges from difficult to impossible.
The researchers claimed that, as a result of their findings, those VPN systems that allow for remote access to corporate networks pose a significant risk, because they essentially bypass all defences deployed on the internet.
It’s critical for an organisation to assess its outward-facing systems, including different VPN services, as well as constantly monitoring these systems to ensure they’re continuously updated. Deploying such tools, like VPNs, should also be kept to the bare minimum.
