Over the last three years dozens of companies working across IT, telecoms, oil and gas, aviation and defense industries have been targeted in a worldwide hacking campaign focused on reconnaissance and planting backdoors to create a “long-lasting foothold” in the target companies. The attacks involved some of the enterprise VPN vulnerabilities disclosed last year, a new ClearSky research report reveals.

The researchers believe the campaign which they call “Fox Kitten Campaign” is most likely the effort of three Iran-linked APT groups - APT33 (Elfin), APT34 (OilRig) and APT39 (Chafer).

Last year, Iranian groups were quick to make use of vulnerabilities disclosed in the Fortinet FortiOS VPN (CVE-2018-13379), the Pulse Secure "Connect" VPN (CVE-2019-11510) and Palo Alto Networks "Global Protect" VPN (CVE-2019-1579). The attacks against these systems took place last summer but they have also continued it in 2020.

“Upon gaining a foothold at the target, the attackers tried to maintain the access to the networks by opening a variety of communication tools, including opening RDP links over SSH tunneling, in order to camouflage and encrypt the communication with the targets,” the report noted.

The researchers say that the attackers used campaign infrastructure to develop and maintain access routes to the targeted organizations, steal valuable data, maintain long-lasting foothold on the targeted systems and to compromise other companies via supply-chain attacks.

To conduct the attacks threat actors used a variety of tools, mainly open-source code-based, but some of them was custom-made malware, such as:

STSRCheck – self-development databases and open ports mapping tool.

POWSSHNET – self-Developed Backdoor malware – RDP over SSH Tunneling.

VBScript – download TXT files from the command-and-control (C2 or C&C) server and unify these files to a portable executable file.

Socket-based backdoor over cs.exe – an exe file used to open a socket-based connection to a hardcoded IP address.

Port.exe – tool to scan predefined ports an IP’s

“Iranian APT groups have developed good technical offensive capabilities and are able to exploit 1-day vulnerabilities in relatively short periods of time, starting from several hours to a week or two,” the report noted.

While the goal of this campaign seems to be reconnaissance, there’s a concern that the same attack infrastructure could be used in the future to spread destructive malware like ZeroCleare and Dustman, which has been previously linked to APT34.