Threat Management, Threat Management, Threat Intelligence, Malware

Fox Kitten APT campaign exploits VPN flaws hours after public disclosure


Iranian APT actors have engaged in a long-running cyber espionage and data theft campaign that has victimized dozens of companies around the world, typically compromising them via virtual private network and Remote Desktop Protocol services, according to a new research report.

Vulnerable VPNs have been such a favorite attack vector of choice among these actors that they have become adept at exploiting VPN flaws within mere hours to weeks after they have been publicly disclosed, says the report, from ClearSky. This is too quick for most organizations to respond with patches.

The three-year-old campaign, dubbed Fox Kitten, has targeted companies and organizations operating in the IT, telecommunication, oil and gas, aviation, government, and security sectors, the report notes. IT service providers have been a particularly alluring target for the actors because through them they can get to thousands more potential victims.

VPNs exploited by the adversaries include Pulse Secure Connect, Global Protect by Palo Alto Networks, and Fortinet FortiOS, although ClearSky believes Citrix could eventually emerge as a candidate for exploit as well. In late 2019 and early 2020, VPNs have notably been exploited in a number of prominent ransomware attacks, and it is believed that Iranian state actors recently abused VPNs to execute attacks using the ZeroCleare and Dustman disk wipers against energy and industrial sector organizations.

“VPNs play an essential role in providing employees and especially third parties remote access to the network. Their two main functions are to create a data tunnel to between the third party and the corporate network – and to protect it. The latter is mainly achieved through encryption. Critical security breaches in VPN equipment from leading vendors is, therefore, something that organizations must understand and take action on," said Noam Shany, product manager at CyberArk, in reaction to the repot. "In the last 12 months especially, flaws in how VPNs operate has led to many organizations examining other ways to provide remote vendors access to the most sensitive parts of the corporate network.

But infiltrating companies through VPNs is just one stage of a rather complex APT attack. After penetrating the network, the attackers attempt to establish a more permanent foothold through the installation of multiple backdoors.

“...[T]he attackers tried to maintain the access to the networks by opening a variety of communication tools, including opening RDP links over SSH tunneling, in order to camouflage and encrypt the communication with the targets,” the report states. “At the final stage, after successfully infiltrating the organization, the attackers have performed a routine process of identification, examination, and filtering of sensitive, valuable information from every targeted organization. The valuable information was sent back to the attackers for reconnaissance, espionage, or further infection of connected networks.”

The attackers’ tool set includes several of their proprietary creations, including POWSSHNET a backdoor malware program that opens RDP links over SSH tunneling, and STSRCheck, a database and open port mapping tool. They have combined these weapons with a series of customized open source and seemingly legitimate tools for the purposes of privilege escalation, persistence, command-and-control communications and data exfiltration.

Based on the adversaries, tools, techniques and overall infrastructure, ClearSky believes there is a "medium-high probability" that Fox Kitten is linked to the reputed Iranian APT group APT34 (aka OilRig and Helix Kitten) and a "medium" probability the campaign is linked to two additional APT groups widely believed to be sponsored by Iran, APT 33 (aka Elfin) and APT39 (aka Chafer).

ClearSky credited the industrial controls system security firm Dragos for initially reporting on aspects of this campaign in a separate report last month. In its report, Dragos called the campaign Parisite.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.