Security researchers have joined the dots on a long-running Iranian cyber-espionage campaign that targeted unpatched bugs in VPN and RDP to infiltrate target organizations globally.
Building on previous research from Dragos, which named the campaign “Parasite” and attributed it to the state-backed APT33 group, ClearSky has gone further with more details.
Its new report claimed the three-year-long campaign “Fox Kitten” is most likely the product of APT33 (Elfin) and APT34 (OilRig) and APT39 (Chafer).
Dozens of companies working across IT, telecoms, oil and gas, aviation and defense industries were affected by the campaign, which is said to have been focused on reconnaissance and planting backdoors to create a “long-lasting foothold” in the target companies.
The initial incursion into these organizations was achieved by exploiting one-day vulnerabilities in VPN services, such as those offered by Pulse Secure, Fortinet and Palo Alto Networks’ Global Protect.
The Pulse Secure vulnerability is also thought to have been exploited by ransomware attackers to compromise Travelex, among other victims.
“Upon gaining a foothold at the target, the attackers tried to maintain the access to the networks by opening a variety of communication tools, including opening RDP links over SSH tunneling, in order to camouflage and encrypt the communication with the targets,” the report noted.
“At the final stage, after successfully infiltrating the organization, the attackers have performed a routine process of identification, examination and filtering of sensitive, valuable information from every targeted organization. The valuable information was sent back to the attackers for reconnaissance, espionage, or further infection of connected networks.”
The groups used a combination of open source tools such as Juicy Potato and Invoke the Hash, and custom malware like open ports mapping tool STSRCheck and RDP over SSH tunneling backdoor POWSSHNET.
Although the purpose of the operation appears to be reconnaissance, there’s a concern that the same attack infrastructure could be used in the future to spread destructive malware like ZeroCleare and Dustman, which has been previously linked to APT34.