Iranian hackers target VPNs worldwide to plant 'persistent' backdoors

Iranian hackers have been exploiting bugs in major enterprise VPNs to target US and Israeli infrastructure organisations.

According to cybersecurity firm ClearSky, the attackers have over the last two years been able to establish a persistent presence in the networks of 'numerous' companies and organizations in IT, telecoms, oil and gas, aviation, government and security.

The campaign, which appears to have been carried out as a joint effort between the known hacking groups APT34 and APT33, has been dubbed Fox Kitten.

"Aside from malware, the campaign enfolds an entire infrastructure dedicated to ensuring the long-lasting capability to control and fully access the targets chosen by the Iranians," the researchers write. 

"The revealed campaign was used as a reconnaissance infrastructure. However, it can also be used as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman, tied to APT34."

Hackers target bugs as they’re disclosed

Much of the hackers' opportunity came through the disclosure of major security flaws in a number of enterprise VPN servers, including those from Pulse Secure, Palo Alto Networks, Fortinet and Citrix. 

In some cases, bugs were exploited within hours of being disclosed.

"Several VPN products have had vulnerabilities disclosed in recent months, and so it's not surprising that state-backed groups are looking to leverage their window of opportunity, knowing all too well that patching vulnerable systems can take organisations a long time," says Javvad Malik, security awareness advocate at security training firm KnowBe4. 

"There is a certain irony to this, as organisations deploy VPNs for security, but could be breached because of those very security products."

In most cases, the attackers were able to maintain a foothold by installing several more access points to the core corporate network, so that closing one had no effect.

Supply chain attacks are a particular feature of the campaign, with the hackers targeting IT service companies in order to gain access to their partners.

Iran-US tensions continue

The discovery reveals the continuing cyberwar between Iran and the US, highlighted last month when the US Department of Homeland Security urged organizations to be on heightened alert for denial-of-service and other attacks after Iranian general Qassem Soleimani was killed in a US airstrike.

"The hackers are attempting to backdoor into significant Western corporations in order to begin a long-term cyber insurgency. These campaigns aim to cause havoc within those individual corporations’ networks but also use those networks as footholds to island hop into other companies and government agencies," says Tom Kellermann, head cybersecurity strategist at security firm VMware Carbon Black.

"It’s possible [that US efforts will deter Iran] but seems unlikely. If anything, they are more likely to use proxies now as they embark upon a protracted campaign of attrition."

The hackers' technique of exploiting vulnerabilities as they're reported raises the question of whether the industry should continue making disclosures before a patch is available. 

"This is a long-debated question. Disclosure is important, and without it many fail to act altogether. But it does introduce risk," says Yossi Naar, chief visionary officer and cofounder of security firm Cybereason.

"The bigger concern is that if you don’t disclose it someone will still find and abuse it. Care should be taken to allow for the best handling on a case by case basis - but on the whole it’s better to know."