Posted on September 18, 2020 at 9:42 AM
Security researchers started warning against loopholes in VPN products some months back, to prevent data stealing campaigns from state-backed hacking groups.
However, it seems that these hackers have not backed down, as security researchers have seen some movements exploiting VPN flaws in IT and health organizations.
The VPN software is designed by firms such as Pulse Secure and Palo Alto Networks and is used by large organizations around the world. When they are vulnerable, they offer immeasurable access to the networks of these coirporat9ions, which state-sponsored hackers can access to plant backdoors for future attacks.
Just recently, CISA and FBI issued an advisory that Iran sponsored hackers are targeting US businesses and federal agencies to explore vulnerabilities through VPN connections.
The advisory was issued in a joint alert by both agencies.
The hackers are linked to a hacking syndicate that goes by the name UNC757 and Pioneer Kitten, according to the analysis of the procedures, techniques, and tactics of the hackers.
The report revealed that Pioneer Kitten has exploited several popular vulnerabilities in the F5 network, Citrix NetScaler, and Pulse Secure solutions.
As it stands, the hackers have had some measured success in their exploitations so far, with Pulse Secure VNPs being the most recent target.
The CISA and FBI officials discovered that the actors took advantage of the VPN vulnerabilities to access the networks of their victims and maintained persistent access to the successfully exploited networks with different techniques for several months.
The hackers are targeting industries within some sectors, including the media sector, financial, information technology, government, insurance, and the healthcare sector.
Additionally, the threat actors took advantage of remote external services on internet-connected assets to get initial access to the target system. They also use operating systems and open-source tooling to carry out their malicious act. These toolings include web shells and fast reverse proxy.
The targets also include companies in Saudi Arabia and Israel
According to the report, the hackers have been on a rampage for three years, as they are linked to various hacking syndicates. But the most notorious are the threat actors sponsored by Iran. However, the hacks were not perpetrated at the same time. The first wave of attack was in 2017 before another wave last year, according to cybersecurity outfit Clearsky.
The report reveals that these state-sponsored actors will continue attacking the organizations as long as there are vulnerabilities within the VPN software that exposes the organizations.
Senior cyber intelligence researcher at Clearsky Ohad Zaidenberg commented on the activities of the hackers and gave reasons why the attack may not stop anytime soon.
“We assess that the Iranians will continue to use vulnerabilities in their attacks before the victims will patch them,” he pointed out.
In January, Saudi security officials revealed that as part of a data-swapping attack, hackers were able to exploit VPN vulnerability at an unnamed Middle-East organization. A few days later Dragos, an industrial security firm, released a report on certain Iran-backed hackers known as Parisite, had targeted North American electric utilities.
Quite recently, Microsoft advised companies to secure their data as the notorious hacking group APT33 was throwing password guesses on thousands of companies and institutions to gain access to their infrastructure.
The report is evidence that the Iranian-backed group is not looking back on their mission to cast a wide net to infiltrate the database of top companies and organizations for future attacks.