Posted on February 17, 2020 at 6:19 PM

Iran Hackers Planting Backdoors in VPN Companies for Future Attacks

In 2019, security researchers were in there large numbers disclosing major security bugs of VPN servers, including those sold by Citrix, Fortinet, Palo Alto Networks, as well as Pulse Secure.

Today, a new report was published, which shows that the top security bugs were from hackers backed by the Iranian Government. They infiltrated the security systems of major companies and government agencies throughout the world.

ClearSky, an Israeli cyber-security network, disclosed that the Iranian hackers target firms from security sectors, Governments, Aviation, Oil and Gas, Telecommunications unit, as well as IT departments.

Some cyberattacks occurred a few hours before public disclosure

The Israeli researchers also disclosed that the tools used by the Iranian hackers are less sophisticated than their North Korean, Chinese, and Russian counterparts. But the Iranian hackers attacked more organizations, which makes them the top government-backed hackers last year.

However, ClearSky did not fail to reveal that the Iranian APT syndicates have developed more technical capabilities, making them increasingly more effective in their 1-day exploits within a short period of time.

In some cases, the security researchers said the Iranian hackers exploited technical vulnerabilities even hours after the hacking attempt has gone public. ATP represents a sophisticated persistent threat, which is also a term used to describe hacking units represented and backed by governments.

ClearSky revealed that last year, the Iranian hacking syndicates immediately weaponized weaknesses exposed in Palo Alto Networks VPN, Fortinet FortOS VPN, as well as Pulse Secure “Connect VPN.

Cyber-attacks on the systems started last year when researchers publicly disclosed the bugs. However, the attackers have resumed their activities this year, although on a smaller level compared to last year, says ClearSky. Also, when the VPN flaws were disclosed publicly, the Iranian hacking syndicates added the Citrus “ADC” exploits in their attack.

Hacking Syndicates planting backdoors

The ClearSky reports revealed that the main reason for the attacks by the Iranian hackers is to plant backdoors that would help them exploit vulnerabilities. They do this by breaching enterprise networks.

In the first stage of their attack, the hackers targeted VPNs. However, the second phase of the attack focused on a wholesome collection of techniques and tools, which shows that the attackers have actually improved in their sophistication in recent years.

The researchers believe the Iranian hackers are still having plans to attack more companies and institutions this year. For instance, they used an accessibility tool known as “Sticky keys” to access admin rights on Windows systems. Also, when the hackers did not find local utilities or open-sourced tools to assist them in the attacks, they developed custom malware.

Hackers increasingly getting more sophisticated

Since last year, there have been two new waves of data-wiping malware, known as Dustman and ZeroCleare. The malware, according to ClearSky, are linked to the Iranian hacking syndicates. This kind of situation is plausible and possible.

Besides, ClearSky researchers are not ruling out the fact that the hackers could launch supply chain attacks after successfully hacking the networks of these companies. According to the researchers, this could offer more exploiting opportunities against the customers of the affected companies.

To support this theory, the FBI published a report early this month to warn US companies against attacks on software supply chain firms. These firms include those that support industrial control systems for distribution, transmission, and generation of Global energy. Similarly, the FBI also revealed that there is a link between Iran’s APT33 hacker group and the code used in these attacks.

Multiple attackers collaborating together

ClearSky researchers also revealed that Iranian hackers are doing something that has not been done in the past. According to them, the attackers are partnering and acting as one hacking syndicate. This makes it more difficult to link one hacker group with a particular hacking attempt.

Previously, the Iranian hackers were seen in different hacking activities, but it seems they have collaborated with one goal. These hacking activities, revealed by ClearSky, are the work of three different hacking groups, namely Chafer (APT39), Oilrig 9APT34) and Elfin (APT33).

Presently, the main goal of these attacks appears to be planting backdoors and performing reconnaissance for surveillance operations.

But there is a clear indication that they could also deploy data-wiping malware, which is capable of sabotaging companies and taking down business operations and networks.