A security alert has been despatched with the aid of the FBI closing week in which a team of Iranian hackers have been observed to be attacking the US non-public and government sector.The alert, known as a Private Industry Notification, did no longer specify the hackers by name, however in accordance to sources, the group is tracked by using the larger cyber-security community below codenames such as Fox Kitten or Parisite.
The Real Picture
According to a former authorities cyber-security analyst who now works for a private security firm, called the crew as Iran’s “spear tip” when it comes to cyber-attacks.Thegroup’s primary project is to supply an “initial beachhead” to different Iranian hacking companies — such as APT33 (Shamoon), Oilrig (APT34), or Chafer.
Fox Kitten operates with the aid of attacking high-end and luxurious network gear via exploiting the modern day disclosed vulnerabilities, before organizations patch them. Based on the units they attack; they in general goal giant non-public companies and authorities networks.Upon getting get right of entry to a device, they set up a internet shell or backdoor, remodelling the gear into a gateway into the hacked network.
As per the reports published via cyber-security corporations ClearSky and Dragos formerly this year, Fox Kitten has been the usage of this modus operandi due to the fact the summer season of 2019, where it used to be exploiting vulnerabilities such as:
- Pulse Secure “Connect” corporation VPNs (CVE-2019-11510)
- Fortinet VPN servers walking FortiOS (CVE-2018-13379)
- Palo Alto Networks “Global Protect” VPN servers (CVE-2019-1579)
- Citrix “ADC” servers and Citrix community gateways (CVE-2019-19781)
The Main Objective behind this Act
According to the FBI notification despatched out to the US personal sector, they objectives these vulnerabilities, however Fox Kitten additionally upgraded its attack arsenal to include an make the most for CVE-2020-5902, a vulnerability disclosed in early July that affects BIG-IP, a very famous multi-purpose networking gadget manufactured with the aid of F5 Networks.
The FBI warns businesses that once the hackers attain get entry to their networks, they might additionally provide get admission to other Iranian groups, or monetize networks that aren’t useful for espionage via deploying ransomware. The crew pursuits any organisation running a BIG-IP device.FBI had requested US businesses to patch their on premise BIG-IP units to forestall intrusions, FBI officers also shared small print about a common Fox Kitten attack, which will help the businesses to set up countermeasures and detection rules.
After successfully compromising the VPN server, the attackers obtain official credentials and establish persistence on the server via web shells. They then perform internal reconnaissance post-exploitation using equipment such as NMAP and Angry IP scanner. The actors deploy Mimikatz to capture credentials whilst on the network, and Juicy Potato for privilege escalation. The actors create new users whilst on the network; the FBI observed one account acknowledged to be created with the aid of the actors is “Sqladmin$”.Iran’s state-sponsored hacking businesses aren’t the solely danger actors that have targeted the BIG-IP vulnerability.
Multiple hacker agencies commenced exploiting this trojan horse inside two days after small print and proof-of-concept exploits grew to become public, and in latest weeks, an exploit for the BIG-IP worm has even been noticed part of a Mirai-based DDoS botnet.