Posted on August 10, 2020 at 1:22 PM
A recent report reveals that an Iranian hacking group known as Fox Kitten is infiltrating F5 networking devices. Based on the security alert by the Federal Bureau of Investigation (FBI) last week, the group is attacking the U.S. government and private sector.
The alert was sent by the FBI as Private Industry Notification. Although the notification did not specify the name of the hackers, sources have reported that the group is being monitored by a bigger cyber-security community and given a code name such as Parasite or Fox Kitten.
A retired government cyber-security analyst currently working with a US private security firm said the group is Iran’s “spear tip” in terms of cyberattacks.
He pointed out that the main task of the hacking syndicate is to give other Iranian hacking groups an “initial beachhead.” According to the cyber-security analyst, Fox Kitten provides reports for other Iranian groups like Chafer, Oilrig (APT34), and APT33 (Shamoon).
Fox Kitten attacks high-end network devices
To attain its attacking objectives, Fox Kitten operates by launching attacks on expensive and high-end network equipment, utilizing exploits for recently reported vulnerabilities before the affected company can patch the devices.
The main targets by the group include government networks and large private corporations because of the type of device they attack.
After the attackers have gained access to the targeted device, they install a backdoor or web shell, turning the device into a gateway to the hacked network.
Based on the reports published by cybersecurity firms Dragos and ClearSky earlier in the year, this operational method by Fox Kitten was not initiated this year. The report revealed that the hacking group has been operating using this method since the summer of last year when it started exploiting major vulnerabilities.
The reports revealed that Fox Kitten has initially targeted some vulnerabilities like Citrix network gateways and Citric “ADC” servers, Palo alto “Global Protect” VPN servers, Fortinet FortiOS VPN servers, as well as Pulse Secure enterprise VPNs.
Notification by the FBI reveals that the Fox Kitten still targets the above vulnerabilities. However, the group has expanded its attack arsenal to include exploit for CVE-2020-5902 vulnerability. It was revealed earlier in July that the exploit affects BIG-IP, a popular multi-purpose network device manufactured by the F5 network.
Hacking group shares access with other Iranian groups
The FBI does not refer the hacking syndicate by its name known by the public, but it referenced their previous attacks against Citrix gateways and Pulse Secure VPNs. The FBI also revealed that after the hackers have gained access to their networks, they are more likely going to give other Iranian hackers access to the infiltrated networks.
They could also try to deploy ransomware and monetize networks that are not useful for cyber espionage, the FBI pointed out.
“Following successful compromise of the VPN server, the actors obtain legitimate credentials and establish persistence on the server through webshells,” the FBI further said.
The agency also warned that the hacking group does not have any specifically targeted network, but any firm using the BIG-IP devices could be the group’s likely target.
The FBI has given details about a particular attack by the Fox Kitten group to provide an example of the attacking methods of the group and help companies establish detection methods and develop countermeasures. The agency has also advised US companies to patch their on-premise BIG-IP devices to prevent any vulnerability exploit by the group.
The agency also reiterated that the hacking group used tools such as Angry IP scanner and NMAP to conduct internal reconnaissance.
The hackers made use of different applications for command and control (C2) and exploited victim networks, such as reverse SSH shell (SSHNET), Plink, ngrok, as well as Chisel (C2 tunnel).
Two victims have been confirmed
Although the report by the FBI doesn’t include any victim of the attack, a source has revealed that two companies have already fallen victim to the Fox Kitten attack. A security researcher in a US-based cybersecurity firm last week alerted the public and revealed that Fox Kitten had successfully infiltrated two BIG-IP devices of two companies. The source did not reveal the identity of the affected firms due to non-disclosure agreements.