A security alert has been sent by the FBI last week in which a group of Iranian hackers were found to be attacking the US private and government sector.
The alert, called a Private Industry Notification, did not specify the hackers by name, but according to sources, the group is tracked by the larger cyber-security community under codenames such as Fox Kitten or Parisite.
According to a former government cyber-security analyst who now works for a private security firm, called the group as Iran’s “spear tip” when it comes to cyber-attacks.
The group’s primary task is to provide an “initial beachhead” to other Iranian hacking groups — such as APT33 (Shamoon), Oilrig (APT34), or Chafer.
Fox Kitten operates by attacking high-end and expensive network equipment by exploiting the latest disclosed vulnerabilities, before companies patch them. Based on the devices they attack; they mainly target large private corporations and government networks.
Upon getting access to a device, they install a web shell or backdoor, transforming the equipment into a gateway into the hacked network.
As per the reports published by cyber-security firms ClearSky and Dragos earlier this year, Fox Kitten has been using this modus operandi since the summer of 2019, where it was exploiting vulnerabilities such as:
- Pulse Secure “Connect” enterprise VPNs (CVE-2019-11510)
- Fortinet VPN servers running FortiOS (CVE-2018-13379)
- Palo Alto Networks “Global Protect” VPN servers (CVE-2019-1579)
- Citrix “ADC” servers and Citrix network gateways (CVE-2019-19781)
According to the FBI notification sent out to the US private sector, they targets these vulnerabilities, but Fox Kitten also upgraded its attack arsenal to include an exploit for CVE-2020-5902, a vulnerability disclosed in early July that impacts BIG-IP, a very popular multi-purpose networking device manufactured by F5 Networks.
The FBI warns companies that once the hackers gain access to their networks, they might also provide access to other Iranian groups, or monetize networks that aren’t useful for espionage by deploying ransomware. The group targets any company running a BIG-IP device.
FBI had asked US companies to patch their on-premise BIG-IP devices to prevent intrusions, FBI officials also shared details about a typical Fox Kitten attack, which will help the companies to deploy countermeasures and detection rules.
After successfully compromising the VPN server, the attackers obtain legitimate credentials and establish persistence on the server through webshells. They then perform internal reconnaissance post-exploitation using tools such as NMAP and Angry IP scanner. The actors deploy Mimikatz to capture credentials while on the network, and Juicy Potato for privilege escalation. The actors create new users while on the network; the FBI observed one account known to be created by the actors is “Sqladmin$”.
Iran’s state-sponsored hacking groups aren’t the only threat actors that have targeted the BIG-IP vulnerability.
Multiple hacker groups began exploiting this bug within two days after details and proof-of-concept exploits became public, and in recent weeks, an exploit for the BIG-IP bug has even been spotted part of a Mirai-based DDoS botnet.