🍙 📼 👩🏾‍🤝‍👩🏻 Iranian hackers exploited vulnerabilities in VPN 👨🏻‍🍳 👩🏼‍🤝‍👨🏾 🧜🏻

Image: ClearSky

In February, ClearSky experts released a report on the hacking of large companies by Iranian hacker groups. During an espionage campaign called Fox Kitten, attackers exploited vulnerabilities discovered by researchers in 2019 in Citrix, Pulse Secure, Palo Alto Networks, Fortinet products.

The reason for the attention of crackers to VPNs, according to ClearSky, is the possibility of a long-term foothold in the infrastructure, and in some cases hacking third-party companies using attacks on the supply chain ( Supply chain attack ). Vulnerable VPNs allowed Iranian hackers to gain constant access to company networks in various industries, including IT, security, telecommunications, oil and gas, aviation and government.

Among the vulnerabilities used by Iranian groups, a recently fixed bug in Citrix CVE-2019-19781 products is also mentioned .discovered in 2019 by Positive Technologies expert Mikhail Klyuchnikov. As Brian Krebs notes on his page, some members of the security community have nicknamed this vulnerability “Shitrix”. The ironic name, according to Krebs, is due to delays in the release of patches. Although Citrix initially warned customers about this problem in mid-December 2019, the patch was released in January 2020, about two weeks after the attackers started using the published exploit code for attacks.

After getting into the infrastructure, Iranian groups used various lateral movement techniques to search for assets that were interesting in terms of espionage. The attackers used legitimate administration software Serveo, FRP, Putty, Plink, the popular open source tools Invoke the Hash and JuicyPotato.

, 12 14:00, PT ESC « ». , . , NTA- PT Network Attack Discovery.

, SOC, blue teams, Positive Technologies.

, , 12 12:00.

Iranian hackers exploited vulnerabilities in VPN

More articles: