Iranian hackers breach VPN servers to plant backdoors in corporate networks worldwide

The campaign, dubbed Fox Kitten, has also been targeting unpatched Citrix servers

Researchers at cyber security firm ClearSky claim to have uncovered an Iranian hacking campaign intended to gain a persistent foothold on the networks of major companies worldwide.

The campaign, dubbed Fox Kitten, was first noticed in the fourth quarter of 2019, although it represents the continuation of attacks that have been running for the past three years, targeting dozens of companies in Israel and around the world.

Iranian state-sponsored threat groups... are specifically focusing on VPN security vulnerabilities and exploiting them as soon as they are disclosed to the public

Iranian state-sponsored threat groups, part of the Fox Kitten campaign, are specifically focusing on VPN security vulnerabilities and exploiting them as soon as they are disclosed to the public.

The aim is to plant backdoors in the networks of foreign firms, specifically in IT, telecoms, aviation, oil and gas, security and government sectors.

The ClearSky report warns that Iranian APT groups are in no way less capable than Chinese, Russian and North Korean hackers, and have developed good technical capabilities to exploit security bugs in short periods of time. In some cases, the researchers observed hackers exploiting VPN bugs within hours after they were disclosed.

Last year, hackers exploited several VPN vulnerabilities, including CVE-2019-11510 (affecting Pulse Secure "Connect" VPN), CVE-2018-13379 (Fortinet FortiOS VPN) and CVE-2019-1579 (Palo Alto Networks "Global Protect" VPN).

The researchers observed hackers exploiting VPN bugs within hours after they were disclosed

They are also targeting the CVE-2019-19781 vulnerability affecting Citrix VPNs, of which there are 388 unpatched and vulnerable in the UK, and 2,660 in the US, according to security firm Bad Packets.

Through these various attacks, the hackers try to compromise enterprise networks, to move laterally within the networks, and to plant backdoors that can be exploited at a later date.

"After breaching the organisations, the attackers usually maintain a foothold and operational redundancy by installing and creating several more access points to the core corporate network," the researchers warn in their report.

"As a result, identifying and closing one access point does not necessarily deny the capability to carry on operations inside the network."

Successful attacks also enabled the attackers to steal confidential information from the targeted companies and to breach additional firms through supply-chain attacks.

ClearSky suspects the attackers could weaponise their access in infected networks to install data-wiping malware capable of sabotaging firms and disrupting their business operations completely.

The researchers added that they also noticed various Iranian groups (APT33, APT34, and APT39) sharing the same attack infrastructure to target foreign organisations. However, there is also a possibility that it is just one group which "was artificially marked in recent years as two or three separate APT groups".